Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DINTEC PO.exe

Overview

General Information

Sample Name:DINTEC PO.exe
Analysis ID:339185
MD5:f1d00b68162820d29eb884a91b9e6a09
SHA1:406621cc2e30d19645513296fe1c5f50dd6c3848
SHA256:29800b7d8e8c3c60918a37c992a2890b4ccf9e4e0c949accd48821302d0f2891
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Uses dynamic DNS services
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DINTEC PO.exe (PID: 4584 cmdline: 'C:\Users\user\Desktop\DINTEC PO.exe' MD5: F1D00B68162820D29EB884A91B9E6A09)
    • a.exe (PID: 6040 cmdline: 'C:\Users\user\AppData\Roaming\a.exe' MD5: F1D00B68162820D29EB884A91B9E6A09)
  • a.exe (PID: 6896 cmdline: 'C:\Users\user\AppData\Roaming\a.exe' MD5: F1D00B68162820D29EB884A91B9E6A09)
    • InstallUtil.exe (PID: 6676 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • dhcpmon.exe (PID: 4904 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0x20f2:$a: NanoCore
  • 0x2117:$a: NanoCore
  • 0x2170:$a: NanoCore
  • 0x1230d:$a: NanoCore
  • 0x12333:$a: NanoCore
  • 0x1238f:$a: NanoCore
  • 0x1f1e4:$a: NanoCore
  • 0x1f23d:$a: NanoCore
  • 0x1f270:$a: NanoCore
  • 0x1f49c:$a: NanoCore
  • 0x1f518:$a: NanoCore
  • 0x1fb31:$a: NanoCore
  • 0x1fc7a:$a: NanoCore
  • 0x2014e:$a: NanoCore
  • 0x20435:$a: NanoCore
  • 0x2044c:$a: NanoCore
  • 0x259ea:$a: NanoCore
  • 0x25a64:$a: NanoCore
  • 0x2a601:$a: NanoCore
  • 0x2b9bb:$a: NanoCore
  • 0x2ba05:$a: NanoCore
00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x10ef7:$x1: NanoCore.ClientPluginHost
  • 0x43aa5:$x1: NanoCore.ClientPluginHost
  • 0x10f34:$x2: IClientNetworkHost
  • 0x43ae2:$x2: IClientNetworkHost
  • 0x14a67:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x47615:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10c5f:$a: NanoCore
    • 0x10c6f:$a: NanoCore
    • 0x10ea3:$a: NanoCore
    • 0x10eb7:$a: NanoCore
    • 0x10ef7:$a: NanoCore
    • 0x4380d:$a: NanoCore
    • 0x4381d:$a: NanoCore
    • 0x43a51:$a: NanoCore
    • 0x43a65:$a: NanoCore
    • 0x43aa5:$a: NanoCore
    • 0x10cbe:$b: ClientPlugin
    • 0x10ec0:$b: ClientPlugin
    • 0x10f00:$b: ClientPlugin
    • 0x4386c:$b: ClientPlugin
    • 0x43a6e:$b: ClientPlugin
    • 0x43aae:$b: ClientPlugin
    • 0x10de5:$c: ProjectData
    • 0x43993:$c: ProjectData
    • 0x117ec:$d: DESCrypto
    • 0x4439a:$d: DESCrypto
    • 0x191b8:$e: KeepAlive
    00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x10ef7:$x1: NanoCore.ClientPluginHost
    • 0x43aa5:$x1: NanoCore.ClientPluginHost
    • 0x10f34:$x2: IClientNetworkHost
    • 0x43ae2:$x2: IClientNetworkHost
    • 0x14a67:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x47615:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 19 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: a.exe PID: 6896, type: MEMORY
    Source: DINTEC PO.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: DINTEC PO.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: System.pdbM source: InstallUtil.exe, 00000004.00000003.904681464.0000000001078000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.749350988.00000000008A2000.00000002.00020000.sdmp, dhcpmon.exe.4.dr
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.4.dr
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then jmp 0146EB76h
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov esp, ebp
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov esp, ebp
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then push dword ptr [ebp-24h]
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then push dword ptr [ebp-24h]
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then push dword ptr [ebp-20h]
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov esp, ebp
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then push dword ptr [ebp-20h]
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then xor edx, edx
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then xor edx, edx
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then jmp 024AEB76h
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then mov esp, ebp
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then mov esp, ebp
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then mov esp, ebp
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then mov esp, ebp

    Networking:

    barindex
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: mnvh54254.ddns.net
    Source: global trafficTCP traffic: 192.168.2.4:49741 -> 95.181.155.123:6653
    Source: Joe Sandbox ViewASN Name: MSKHOSTRU MSKHOSTRU
    Source: unknownDNS traffic detected: queries for: mnvh54254.ddns.net
    Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: DINTEC PO.exe, 00000000.00000003.714561873.0000000001729000.00000004.00000001.sdmp, a.exe, 00000002.00000002.1048821973.0000000000BD9000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp
    Source: DINTEC PO.exe, 00000000.00000003.714561873.0000000001729000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/Ident

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: a.exe PID: 6896, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: InstallUtil.exe PID: 6676, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: a.exe PID: 6896, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: a.exe PID: 6896, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B583838 CreateProcessAsUserW,
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146B170
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146E3A0
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_01460448
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_014634F8
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146EBA0
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_01469A3F
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_01466D38
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_01463C60
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146CC30
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_01468F4A
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_01460441
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146F648
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146EB90
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055BAD38
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055BAD2A
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055B4DFA
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055B4E08
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055B4858
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055BB849
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055B4847
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A9A3F
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024AEBA0
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024AE3A0
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024AB170
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A8F4B
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A0448
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A6C10
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024ACC30
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A34F8
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024AEB90
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024AF648
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A0438
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B580770
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B584E78
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B582618
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B580040
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B580760
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B584E69
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B582607
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B585A98
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B581D50
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B581D3F
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B583D20
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B580006
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5818D8
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5818C9
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5830A0
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_02609A42
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_0260B170
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_02608F57
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_02603C61
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_02600448
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_0260CC3F
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_026034F8
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_0260B181
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_02600438
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_008A20B0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_010F07D8
    Source: DINTEC PO.exeBinary or memory string: OriginalFilename vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.720031386.00000000054F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.721423524.0000000008415000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePO ALCA.exeH vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.722399909.0000000008FF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.722399909.0000000008FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.722132752.0000000008EF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.720559556.0000000005660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DINTEC PO.exe
    Source: DINTEC PO.exeBinary or memory string: OriginalFilenamePO ALCA.exeH vs DINTEC PO.exe
    Source: C:\Users\user\Desktop\DINTEC PO.exeSection loaded: propsys.dll
    Source: C:\Users\user\Desktop\DINTEC PO.exeSection loaded: windows.staterepositoryps.dll
    Source: DINTEC PO.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: InstallUtil.exe PID: 6676, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: a.exe PID: 6896, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: a.exe PID: 6896, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: classification engineClassification label: mal100.troj.evad.winEXE@8/13@2/1
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ffdfcbd2-3989-4236-a47d-b9533fb19ad2}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
    Source: DINTEC PO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\DINTEC PO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile read: C:\Users\user\Desktop\DINTEC PO.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\DINTEC PO.exe 'C:\Users\user\Desktop\DINTEC PO.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
    Source: C:\Users\user\AppData\Roaming\a.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
    Source: C:\Users\user\Desktop\DINTEC PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: DINTEC PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: DINTEC PO.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: System.pdbM source: InstallUtil.exe, 00000004.00000003.904681464.0000000001078000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.749350988.00000000008A2000.00000002.00020000.sdmp, dhcpmon.exe.4.dr
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.4.dr
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055BD340 pushfd ; ret
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_02606976 push 0000003Bh; ret
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_0260694A push 0000003Bh; ret
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Roaming\a.exeJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile opened: C:\Users\user\Desktop\DINTEC PO.exe\:Zone.Identifier read attributes | delete
    Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Roaming\a.exe\:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\DINTEC PO.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM_3Show sources
    Source: Yara matchFile source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\Desktop\DINTEC PO.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\DINTEC PO.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 3849
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 5664
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: foregroundWindowGot 701
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: foregroundWindowGot 626
    Source: C:\Users\user\Desktop\DINTEC PO.exe TID: 6724Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Users\user\Desktop\DINTEC PO.exe TID: 6736Thread sleep count: 196 > 30
    Source: C:\Users\user\Desktop\DINTEC PO.exe TID: 6544Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 6992Thread sleep count: 261 > 30
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 6992Thread sleep time: -261000s >= -30000s
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 6944Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 1444Thread sleep count: 53 > 30
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 1444Thread sleep count: 122 > 30
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 5712Thread sleep count: 349 > 30
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 5712Thread sleep time: -349000s >= -30000s
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 6944Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 3976Thread sleep time: -13835058055282155s >= -30000s
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 6384Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6752Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\a.exeLast function: Thread delayed
    Source: C:\Users\user\AppData\Roaming\a.exeLast function: Thread delayed
    Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: VMware
    Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: vmware svga
    Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: DINTEC PO.exe, 00000000.00000002.720031386.00000000054F0000.00000004.00000001.sdmp, a.exe, 00000002.00000002.1049116423.00000000026A0000.00000004.00000001.sdmp, a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
    Source: DINTEC PO.exe, 00000000.00000002.720031386.00000000054F0000.00000004.00000001.sdmp, a.exe, 00000002.00000002.1049116423.00000000026A0000.00000004.00000001.sdmp, a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
    Source: DINTEC PO.exe, 00000000.00000002.720031386.00000000054F0000.00000004.00000001.sdmp, a.exe, 00000002.00000002.1049116423.00000000026A0000.00000004.00000001.sdmp, a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: vmusrvc
    Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: vmsrvc
    Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: vmtools
    Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
    Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
    Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
    Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Roaming\a.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Roaming\a.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\DINTEC PO.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\a.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
    Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
    Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000
    Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000
    Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: B76008
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
    Source: C:\Users\user\AppData\Roaming\a.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
    Source: a.exe, 00000002.00000002.1048857023.0000000000F70000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: a.exe, 00000002.00000002.1048857023.0000000000F70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: a.exe, 00000002.00000002.1048857023.0000000000F70000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: a.exe, 00000002.00000002.1048857023.0000000000F70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\DINTEC PO.exeQueries volume information: C:\Users\user\Desktop\DINTEC PO.exe VolumeInformation
    Source: C:\Users\user\Desktop\DINTEC PO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\DINTEC PO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Users\user\Desktop\DINTEC PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: a.exe PID: 6896, type: MEMORY

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: DINTEC PO.exe, 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: a.exe, 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: a.exe PID: 6896, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1Windows Management Instrumentation1Startup Items1Startup Items1Masquerading2OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobValid Accounts1Valid Accounts1Valid Accounts1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Registry Run Keys / Startup Folder2Access Token Manipulation1Access Token Manipulation1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)DLL Side-Loading1Process Injection312Virtualization/Sandbox Evasion3NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder2Disable or Modify Tools1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonDLL Side-Loading1Process Injection312Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%VirustotalBrowse
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    mnvh54254.ddns.net4%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://ns.ado/Ident0%Avira URL Cloudsafe
    http://iptc.tc4xmp0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    mnvh54254.ddns.net
    		95.181.155.123
    		truetrueunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://ns.ado/IdentDINTEC PO.exe, 00000000.00000003.714561873.0000000001729000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://iptc.tc4xmpDINTEC PO.exe, 00000000.00000003.714561873.0000000001729000.00000004.00000001.sdmp, a.exe, 00000002.00000002.1048821973.0000000000BD9000.00000004.00000040.sdmpfalse
    • Avira URL Cloud: safe
    		unknown

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    95.181.155.123
    		unknownRussian Federation
    		207319MSKHOSTRUtrue

    General Information

    Joe Sandbox Version:31.0.0 Red Diamond
    Analysis ID:339185
    Start date:13.01.2021
    Start time:16:59:35
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 11m 46s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:DINTEC PO.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:21
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal100.troj.evad.winEXE@8/13@2/1
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 0.3% (good quality ratio 0.3%)
    • Quality average: 60.4%
    • Quality standard deviation: 32.6%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    Warnings:
    Show All
    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
    • TCP Packets have been reduced to 100
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.43.193.48, 51.11.168.160, 52.147.198.201, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 52.155.217.156, 20.54.26.129, 93.184.220.29
    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, cs9.wac.phicdn.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, crl3.digicert.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtReadVirtualMemory calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    17:00:38AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk
    17:01:01AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    MSKHOSTRUMPnIQlfxon.exeGet hashmaliciousBrowse
    • 95.181.157.160
    tyoO13LUym.exeGet hashmaliciousBrowse
    • 95.181.157.160
    LutcV95NdW.exeGet hashmaliciousBrowse
    • 95.181.152.100
    SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exeGet hashmaliciousBrowse
    • 95.181.157.160
    SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exeGet hashmaliciousBrowse
    • 95.181.157.160
    SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exeGet hashmaliciousBrowse
    • 95.181.157.160
    pSFEOooHmL.exeGet hashmaliciousBrowse
    • 95.181.152.177
    q1ClS5bciI.exeGet hashmaliciousBrowse
    • 95.181.152.100
    9xeZGfuoV5.exeGet hashmaliciousBrowse
    • 95.181.152.177
    L7SzoVpjhW.exeGet hashmaliciousBrowse
    • 95.181.152.177
    FIq05ylmFa.exeGet hashmaliciousBrowse
    • 95.181.152.100
    noo8xFTpNS.exeGet hashmaliciousBrowse
    • 95.181.152.177
    YWkOcHQwEy.exeGet hashmaliciousBrowse
    • 95.181.152.177
    0vuI5XGGlG.exeGet hashmaliciousBrowse
    • 95.181.152.177
    FMBRNIuDlj.exeGet hashmaliciousBrowse
    • 95.181.152.177
    4niFjutXp6.exeGet hashmaliciousBrowse
    • 95.181.152.100
    Z1Dlmc2efo.exeGet hashmaliciousBrowse
    • 95.181.152.100
    voq4kj1z14.exeGet hashmaliciousBrowse
    • 95.181.152.100
    3VLexOmRKM.exeGet hashmaliciousBrowse
    • 95.181.152.177
    NfeMUeolmz.exeGet hashmaliciousBrowse
    • 95.181.152.177

    JA3 Fingerprints

    No context

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exePO-5042.exeGet hashmaliciousBrowse
      New Year Order 18723TW.exeGet hashmaliciousBrowse
        PO-75013.exeGet hashmaliciousBrowse
          MV. Double Miracle.exeGet hashmaliciousBrowse
            SecuriteInfo.com.Generic.mg.5a4b41327cabca49.exeGet hashmaliciousBrowse
              SecuriteInfo.com.FileRepMalware.exeGet hashmaliciousBrowse
                MV Double Miracle.exeGet hashmaliciousBrowse
                  TD-10057.exeGet hashmaliciousBrowse
                    Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                      ndSscoDob9.exeGet hashmaliciousBrowse
                        DXXJmIDl3C.exeGet hashmaliciousBrowse
                          0YdVJ6vqhO.exeGet hashmaliciousBrowse
                            TT Payment Invoice.exeGet hashmaliciousBrowse
                              al9LrOC8eM.exeGet hashmaliciousBrowse
                                M4FBPQPaus.exeGet hashmaliciousBrowse
                                  hcL39YT1CR.exeGet hashmaliciousBrowse
                                    XaAUv98B2a.exeGet hashmaliciousBrowse
                                      04XP8gXrF7.exeGet hashmaliciousBrowse
                                        zosFl3kiAK.exeGet hashmaliciousBrowse
                                          4G5zLURjk4.exeGet hashmaliciousBrowse

                                            Created / dropped Files

                                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):41064
                                            Entropy (8bit):6.164873449128079
                                            Encrypted:false
                                            SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                            MD5:EFEC8C379D165E3F33B536739AEE26A3
                                            SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                            SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                            SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: PO-5042.exe, Detection: malicious, Browse
                                            • Filename: New Year Order 18723TW.exe, Detection: malicious, Browse
                                            • Filename: PO-75013.exe, Detection: malicious, Browse
                                            • Filename: MV. Double Miracle.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.Generic.mg.5a4b41327cabca49.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.FileRepMalware.exe, Detection: malicious, Browse
                                            • Filename: MV Double Miracle.exe, Detection: malicious, Browse
                                            • Filename: TD-10057.exe, Detection: malicious, Browse
                                            • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                            • Filename: ndSscoDob9.exe, Detection: malicious, Browse
                                            • Filename: DXXJmIDl3C.exe, Detection: malicious, Browse
                                            • Filename: 0YdVJ6vqhO.exe, Detection: malicious, Browse
                                            • Filename: TT Payment Invoice.exe, Detection: malicious, Browse
                                            • Filename: al9LrOC8eM.exe, Detection: malicious, Browse
                                            • Filename: M4FBPQPaus.exe, Detection: malicious, Browse
                                            • Filename: hcL39YT1CR.exe, Detection: malicious, Browse
                                            • Filename: XaAUv98B2a.exe, Detection: malicious, Browse
                                            • Filename: 04XP8gXrF7.exe, Detection: malicious, Browse
                                            • Filename: zosFl3kiAK.exe, Detection: malicious, Browse
                                            • Filename: 4G5zLURjk4.exe, Detection: malicious, Browse
                                            Reputation:moderate, very likely benign file
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DINTEC PO.exe.log
                                            Process:C:\Users\user\Desktop\DINTEC PO.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):1451
                                            Entropy (8bit):5.345862727722058
                                            Encrypted:false
                                            SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                                            MD5:06F54CDBFEF62849AF5AE052722BD7B6
                                            SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                                            SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                                            SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a.exe.log
                                            Process:C:\Users\user\AppData\Roaming\a.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1362
                                            Entropy (8bit):5.343186145897752
                                            Encrypted:false
                                            SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovj
                                            MD5:1249251E90A1C28AB8F7235F30056DEB
                                            SHA1:166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
                                            SHA-256:B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
                                            SHA-512:FD880C5B12B22241F67139ABD09B99ACE7A4DD24635FC6B340A3E7C463E2AEF3FA68EF647352132934BC1F8CA134F46064049449ACB67954BEDDEA9AA9670885
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):950
                                            Entropy (8bit):5.350971482944737
                                            Encrypted:false
                                            SSDEEP:24:MLiKNE4qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MeIH2HKXwYHKhQnoPtHoxHhAHKzva
                                            MD5:CEE81B7EB08EE82CFE49E47B81B50D1A
                                            SHA1:4746C7068BD50E3309BFFDBE8983B8F27D834DFD
                                            SHA-256:B9A90255691E7C9D3CCBD27D00FC514DDD6087446D8DB03335CEF1B5634CC460
                                            SHA-512:AF5865439412974FCB6B11E22CFFF1ACA0BEBF83CF398D6056CEEF93720AF0FBCB579858C39E6AA0D989680F2180F2CA181D7D12887604B420D0E1976B8AEA77
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..
                                            C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                            Process:C:\Users\user\Desktop\DINTEC PO.exe
                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):41064
                                            Entropy (8bit):6.164873449128079
                                            Encrypted:false
                                            SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                            MD5:EFEC8C379D165E3F33B536739AEE26A3
                                            SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                            SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                            SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Reputation:moderate, very likely benign file
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                            Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):232
                                            Entropy (8bit):7.024371743172393
                                            Encrypted:false
                                            SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                            MD5:32D0AAE13696FF7F8AF33B2D22451028
                                            SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                            SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                            SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                            Malicious:false
                                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                            Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                            File Type:ISO-8859 text, with no line terminators
                                            Category:dropped
                                            Size (bytes):8
                                            Entropy (8bit):2.75
                                            Encrypted:false
                                            SSDEEP:3:cPn:s
                                            MD5:04893A4DCE1D8CAEF2FD3842F08DB1CE
                                            SHA1:BD5634B7271F155892370BFF98C8A1A176B9A4B7
                                            SHA-256:BCD45F69F8A5CC43EBD63DC98FFFD784B812A8167151904E1A60A3D01EEFB54B
                                            SHA-512:36BB8589984D8407442E6EF0A659ABEF6760165015CDE7752417D2FF24FF05E228CDF28F887ED492BB51F02C7A2FCD073D29F097DCB1FD566CBEA31940EA3EC3
                                            Malicious:true
                                            Preview: ..dk..H
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                            Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):40
                                            Entropy (8bit):5.153055907333276
                                            Encrypted:false
                                            SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                            MD5:4E5E92E2369688041CC82EF9650EDED2
                                            SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                            SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                            SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                            Malicious:false
                                            Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                            Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):327432
                                            Entropy (8bit):7.99938831605763
                                            Encrypted:true
                                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                            Malicious:false
                                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk
                                            Process:C:\Users\user\Desktop\DINTEC PO.exe
                                            File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                            Category:dropped
                                            Size (bytes):854
                                            Entropy (8bit):3.0159112944533297
                                            Encrypted:false
                                            SSDEEP:12:8wl0RsXowAOcQ/tz0/CSLm9RKMJkHgTCNfBT/v4t2Y+xIBjK:8iLDWLYr+Vpd7aB
                                            MD5:CDE31B0A7CA104AEE6CB2FF9ABFED71F
                                            SHA1:B92338857A61560D0E667E6E3EB5B9CCF22CE260
                                            SHA-256:A835B03B57A7941B592CCF6825F308CDA3158A53B4B798B0E14C51D3E9DB1AB1
                                            SHA-512:AF3C36C759A831D5366F2493A4AAF7BA2A97181D098C4E2D2394F06BC379A3D947A8D2BFCFDA2ADE9C3D6AC44B0895C0E4470AA8AECF1D960C7424E2E6FAE99D
                                            Malicious:false
                                            Preview: L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....P.2...........a.exe.<............................................a...e.x.e.............\.....\.....\.....\.....\.a...e.x.e.$.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.a...e.x.e.............y.............>.e.L.:..er.=y...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................
                                            C:\Users\user\AppData\Roaming\a.exe
                                            Process:C:\Users\user\Desktop\DINTEC PO.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):862720
                                            Entropy (8bit):5.4197749658829855
                                            Encrypted:false
                                            SSDEEP:6144:xMpm7XDISoFhkENO4jfCbN898MyDqFNb7LWt+Ao23KB2pTwcSn9vCfEvg4J:xszDNj6u8My+b/WtI23d9ZSn9Vd
                                            MD5:F1D00B68162820D29EB884A91B9E6A09
                                            SHA1:406621CC2E30D19645513296FE1C5F50DD6C3848
                                            SHA-256:29800B7D8E8C3C60918A37C992A2890B4CCF9E4E0C949ACCD48821302D0F2891
                                            SHA-512:B9098F02C929F9A59B4ADB846B47152D8EE69261D14558B3C2BF3BAFD35AC2A81E690C02C1F5DC6F6BEF694E4F79F668FBC16A20AB747914C570ABE8F22901FE
                                            Malicious:true
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .,0..............P.............N<... ...@....@.. ....................................`..................................;..O....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B................0<......H.......@....*......_...tu.............................................&..(.....*.s.........s.........s.........s ........*&........*".......*Vs!...(3...t.........*..(4...*..(....*N. ..........(5....*V....(J........(:....*^.~....(f........(=....*v.~....~.....(H........(A....*.....(V....*^......(F...t....od....*..(G...*....0..2........("...t....("...t0...(H...t1...:,..................1.......-=("...t....&("...t.............("...t0...........(H...t....&+K.("...t...............
                                            C:\Users\user\AppData\Roaming\a.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\DINTEC PO.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview: [ZoneTransfer]....ZoneId=0
                                            \Device\ConDrv
                                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):2017
                                            Entropy (8bit):4.663189584482275
                                            Encrypted:false
                                            SSDEEP:48:zK4Qu4D4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKJDEcTytNe3Wo3uQVBIe+5
                                            MD5:9C305D95E7DA8FCA9651F7F426BB25BC
                                            SHA1:FDB5C18C26CF5B83EF5DC297C0F9CEBEF6A97FFC
                                            SHA-256:444F71CF504D22F0EE88024D61501D3B79AE5D1AFD521E72499F325F6B0B82BE
                                            SHA-512:F2829518AE0F6DD35C1DE1175FC8BE3E52EDCAFAD0B2455AC593F5E5D4BD480B014F52C3AE24E742B914685513BE5DF862373E75C45BB7908C775D7E2E404DB3
                                            Malicious:false
                                            Preview: Microsoft (R) .NET Framework Installation utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):5.4197749658829855
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:DINTEC PO.exe
                                            File size:862720
                                            MD5:f1d00b68162820d29eb884a91b9e6a09
                                            SHA1:406621cc2e30d19645513296fe1c5f50dd6c3848
                                            SHA256:29800b7d8e8c3c60918a37c992a2890b4ccf9e4e0c949accd48821302d0f2891
                                            SHA512:b9098f02c929f9a59b4adb846b47152d8ee69261d14558b3c2bf3bafd35ac2a81e690c02c1f5dc6f6bef694e4f79f668fbc16a20ab747914c570abe8f22901fe
                                            SSDEEP:6144:xMpm7XDISoFhkENO4jfCbN898MyDqFNb7LWt+Ao23KB2pTwcSn9vCfEvg4J:xszDNj6u8My+b/WtI23d9ZSn9Vd
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .,0..............P.............N<... ...@....@.. ....................................`................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x4d3c4e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                            Time Stamp:0x302CE720 [Sat Aug 12 17:38:40 1995 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd3bfc0x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x61e.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xd60000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xd1c540xd1e00False0.488976883562data5.42525670543IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0xd40000x61e0x800False0.3515625data3.6599210344IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xd60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0xd40a00x394data
                                            RT_MANIFEST0xd44340x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright 2017 =?C538IEI@2B=?C?=JB8BDAI
                                            Assembly Version1.0.0.0
                                            InternalNamePO ALCA.exe
                                            FileVersion3.5.6.8
                                            CompanyName=?C538IEI@2B=?C?=JB8BDAI
                                            CommentsBCBIJ6:J@J9:JB:E:D
                                            ProductNameB>;DD:B><B7<9:8JDE8
                                            ProductVersion3.5.6.8
                                            FileDescriptionB>;DD:B><B7<9:8JDE8
                                            OriginalFilenamePO ALCA.exe

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 13, 2021 17:01:00.952848911 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:01.028206110 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:01.028367043 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:01.114006996 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:01.451936007 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:01.858261108 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:02.561496019 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:03.005784035 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:03.005836010 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:03.089016914 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:03.177653074 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:03.177742004 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:03.561520100 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:03.888801098 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:03.949511051 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:03.962405920 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:04.075752974 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:04.264669895 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:04.769470930 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:04.786421061 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:04.813169956 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:04.813241959 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:04.813321114 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:04.814028978 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:04.842773914 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:04.843736887 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:05.069211960 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.331626892 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.335463047 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.335556030 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:05.337575912 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.341698885 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.344283104 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:05.379535913 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.380742073 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.380809069 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:05.383564949 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.452286005 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:05.577234983 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.764817953 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:05.881474972 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.881515980 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.881599903 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:05.922389984 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.925460100 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.927619934 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:05.929500103 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.931454897 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:05.931540012 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.076910019 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.142680883 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.142771006 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.143799067 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.146528959 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.146584034 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.150599003 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.151644945 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.153623104 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.153649092 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.192765951 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.195647001 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.226119995 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.418000937 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.465146065 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.465230942 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.467014074 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.561733961 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.582814932 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.582904100 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.685321093 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.685368061 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.685444117 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.686191082 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.687038898 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.687164068 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.687232971 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.689173937 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.689677000 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.734419107 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.734477043 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.734509945 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.734543085 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.735380888 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.735491991 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.736346006 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.736386061 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.736419916 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.736452103 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.736489058 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.819372892 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.819490910 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.930474043 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.941236019 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.944252014 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.944380045 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.947284937 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.947316885 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.947406054 CET497416653192.168.2.495.181.155.123
                                            Jan 13, 2021 17:01:06.950398922 CET66534974195.181.155.123192.168.2.4
                                            Jan 13, 2021 17:01:06.955533028 CET66534974195.181.155.123192.168.2.4

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 13, 2021 17:00:25.347143888 CET4991053192.168.2.48.8.8.8
                                            Jan 13, 2021 17:00:25.403336048 CET53499108.8.8.8192.168.2.4
                                            Jan 13, 2021 17:00:26.344784975 CET5585453192.168.2.48.8.8.8
                                            Jan 13, 2021 17:00:26.392699003 CET53558548.8.8.8192.168.2.4
                                            Jan 13, 2021 17:00:27.283121109 CET6454953192.168.2.48.8.8.8
                                            Jan 13, 2021 17:00:27.331218004 CET53645498.8.8.8192.168.2.4
                                            Jan 13, 2021 17:00:28.324155092 CET6315353192.168.2.48.8.8.8
                                            Jan 13, 2021 17:00:28.372128963 CET53631538.8.8.8192.168.2.4
                                            Jan 13, 2021 17:00:29.396509886 CET5299153192.168.2.48.8.8.8
                                            Jan 13, 2021 17:00:29.452795029 CET53529918.8.8.8192.168.2.4
                                            Jan 13, 2021 17:00:54.564604044 CET5370053192.168.2.48.8.8.8
                                            Jan 13, 2021 17:00:54.612792969 CET53537008.8.8.8192.168.2.4
                                            Jan 13, 2021 17:00:58.005304098 CET5172653192.168.2.48.8.8.8
                                            Jan 13, 2021 17:00:58.053287029 CET53517268.8.8.8192.168.2.4
                                            Jan 13, 2021 17:00:58.999053001 CET5679453192.168.2.48.8.8.8
                                            Jan 13, 2021 17:00:59.055248022 CET53567948.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:00.013540030 CET5653453192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:00.062360048 CET53565348.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:00.868149996 CET5662753192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:00.934649944 CET53566278.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:00.951459885 CET5662153192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:01.002295971 CET53566218.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:01.622205019 CET6311653192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:01.680059910 CET53631168.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:03.095650911 CET6407853192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:03.146430969 CET53640788.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:15.299303055 CET6480153192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:15.355711937 CET53648018.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:17.906789064 CET6172153192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:17.993438005 CET53617218.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:18.579271078 CET5125553192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:18.638320923 CET53512558.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:19.392586946 CET6152253192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:19.504714966 CET53615228.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:19.661504984 CET5233753192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:19.725918055 CET53523378.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:20.164793015 CET5504653192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:20.226536036 CET53550468.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:20.765428066 CET4961253192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:20.821866035 CET53496128.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:21.434371948 CET4928553192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:21.490617037 CET53492858.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:22.387001991 CET5060153192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:22.437706947 CET53506018.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:24.354434967 CET6087553192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:24.405220985 CET53608758.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:24.823137045 CET5644853192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:24.879628897 CET53564488.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:25.249605894 CET5917253192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:25.300503969 CET53591728.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:25.839740038 CET6242053192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:25.896162033 CET53624208.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:26.067039013 CET6057953192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:26.123409986 CET53605798.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:26.403696060 CET5018353192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:26.459981918 CET53501838.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:27.067111015 CET6153153192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:27.126549006 CET53615318.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:27.851475954 CET4922853192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:27.902072906 CET53492288.8.8.8192.168.2.4
                                            Jan 13, 2021 17:01:31.775759935 CET5979453192.168.2.48.8.8.8
                                            Jan 13, 2021 17:01:31.838294983 CET53597948.8.8.8192.168.2.4
                                            Jan 13, 2021 17:02:05.329132080 CET5591653192.168.2.48.8.8.8
                                            Jan 13, 2021 17:02:05.377079964 CET53559168.8.8.8192.168.2.4
                                            Jan 13, 2021 17:02:07.006273031 CET5275253192.168.2.48.8.8.8
                                            Jan 13, 2021 17:02:07.073296070 CET53527528.8.8.8192.168.2.4
                                            Jan 13, 2021 17:02:27.355690956 CET6054253192.168.2.48.8.8.8
                                            Jan 13, 2021 17:02:27.416623116 CET53605428.8.8.8192.168.2.4
                                            Jan 13, 2021 17:02:38.157340050 CET6068953192.168.2.48.8.8.8
                                            Jan 13, 2021 17:02:38.205274105 CET53606898.8.8.8192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 13, 2021 17:01:00.868149996 CET192.168.2.48.8.8.80xde7fStandard query (0)mnvh54254.ddns.netA (IP address)IN (0x0001)
                                            Jan 13, 2021 17:02:27.355690956 CET192.168.2.48.8.8.80xc738Standard query (0)mnvh54254.ddns.netA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 13, 2021 17:01:00.934649944 CET8.8.8.8192.168.2.40xde7fNo error (0)mnvh54254.ddns.net95.181.155.123A (IP address)IN (0x0001)
                                            Jan 13, 2021 17:02:27.416623116 CET8.8.8.8192.168.2.40xc738No error (0)mnvh54254.ddns.net95.181.155.123A (IP address)IN (0x0001)

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: DINTEC PO.exe PID: 4584 Parent PID: 5896

                                            General

                                            Start time:17:00:30
                                            Start date:13/01/2021
                                            Path:C:\Users\user\Desktop\DINTEC PO.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\DINTEC PO.exe'
                                            Imagebase:0xb40000
                                            File size:862720 bytes
                                            MD5 hash:F1D00B68162820D29EB884A91B9E6A09
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Analysis Process: a.exe PID: 6896 Parent PID: 3424

                                            General

                                            Start time:17:00:46
                                            Start date:13/01/2021
                                            Path:C:\Users\user\AppData\Roaming\a.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Roaming\a.exe'
                                            Imagebase:0x160000
                                            File size:862720 bytes
                                            MD5 hash:F1D00B68162820D29EB884A91B9E6A09
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Analysis Process: InstallUtil.exe PID: 6676 Parent PID: 6896

                                            General

                                            Start time:17:00:53
                                            Start date:13/01/2021
                                            Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                            Imagebase:0x900000
                                            File size:41064 bytes
                                            MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus matches:
                                            • Detection: 0%, Metadefender, Browse
                                            • Detection: 0%, ReversingLabs
                                            Reputation:moderate

                                            Analysis Process: a.exe PID: 6040 Parent PID: 4584

                                            General

                                            Start time:17:00:54
                                            Start date:13/01/2021
                                            Path:C:\Users\user\AppData\Roaming\a.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Roaming\a.exe'
                                            Imagebase:0x2e0000
                                            File size:862720 bytes
                                            MD5 hash:F1D00B68162820D29EB884A91B9E6A09
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:low

                                            Analysis Process: dhcpmon.exe PID: 4904 Parent PID: 3424

                                            General

                                            Start time:17:01:10
                                            Start date:13/01/2021
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                            Imagebase:0x8a0000
                                            File size:41064 bytes
                                            MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Antivirus matches:
                                            • Detection: 0%, Virustotal, Browse
                                            • Detection: 0%, Metadefender, Browse
                                            • Detection: 0%, ReversingLabs
                                            Reputation:moderate

                                            Analysis Process: conhost.exe PID: 6128 Parent PID: 4904

                                            General

                                            Start time:17:01:10
                                            Start date:13/01/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Disassembly

                                            Code Analysis

                                            Reset < >