Loading ...

Play interactive tourEdit tour

Analysis Report UCDR562uYv.exe

Overview

General Information

Sample Name:UCDR562uYv.exe
Analysis ID:356809
MD5:cf3cbcf8eed33d5dd9778c4914b21fd9
SHA1:f64c016fdea3bbd98964bdfc2fda33d7aaba1361
SHA256:b9ebcdd39a9e00e766dafbf2ea752b7310d179f65b0d989c402cf45cf3efc321
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • UCDR562uYv.exe (PID: 6804 cmdline: 'C:\Users\user\Desktop\UCDR562uYv.exe' MD5: CF3CBCF8EED33D5DD9778C4914B21FD9)
    • schtasks.exe (PID: 7000 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp483E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • UCDR562uYv.exe (PID: 7060 cmdline: {path} MD5: CF3CBCF8EED33D5DD9778C4914B21FD9)
  • dhcpmon.exe (PID: 4964 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: CF3CBCF8EED33D5DD9778C4914B21FD9)
    • schtasks.exe (PID: 6364 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp86BE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6440 cmdline: {path} MD5: CF3CBCF8EED33D5DD9778C4914B21FD9)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "2e8224ea-0d1f-4740-8aea-f16b1e97c433", "Group": "GODSPOWER", "Domain1": "kene3210.ddns.net", "Domain2": "127.0.0.1", "Port": 3210, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1c79f5:$x1: NanoCore.ClientPluginHost
  • 0x1c7a32:$x2: IClientNetworkHost
  • 0x1cb565:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1c775d:$a: NanoCore
    • 0x1c776d:$a: NanoCore
    • 0x1c79a1:$a: NanoCore
    • 0x1c79b5:$a: NanoCore
    • 0x1c79f5:$a: NanoCore
    • 0x1c77bc:$b: ClientPlugin
    • 0x1c79be:$b: ClientPlugin
    • 0x1c79fe:$b: ClientPlugin
    • 0x14ee18:$c: ProjectData
    • 0x1c78e3:$c: ProjectData
    • 0x14fb74:$d: DESCrypto
    • 0x1c82ea:$d: DESCrypto
    • 0x1cfcb6:$e: KeepAlive
    • 0x1cdca4:$g: LogClientMessage
    • 0x1c9e9f:$i: get_Connected
    • 0x1c8620:$j: #=q
    • 0x1c8650:$j: #=q
    • 0x1c866c:$j: #=q
    • 0x1c869c:$j: #=q
    • 0x1c86b8:$j: #=q
    • 0x1c86d4:$j: #=q
    00000005.00000002.599662311.0000000003181000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.UCDR562uYv.exe.41cff6c.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0x28271:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      • 0x2829e:$x2: IClientNetworkHost
      5.2.UCDR562uYv.exe.41cff6c.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x28271:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0x2934c:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      • 0x2828b:$s5: IClientLoggingHost
      5.2.UCDR562uYv.exe.41cff6c.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        5.2.UCDR562uYv.exe.41d4595.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xb184:$x1: NanoCore.ClientPluginHost
        • 0x23c48:$x1: NanoCore.ClientPluginHost
        • 0xb1b1:$x2: IClientNetworkHost
        • 0x23c75:$x2: IClientNetworkHost
        5.2.UCDR562uYv.exe.41d4595.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xb184:$x2: NanoCore.ClientPluginHost
        • 0x23c48:$x2: NanoCore.ClientPluginHost
        • 0xc25f:$s4: PipeCreated
        • 0x24d23:$s4: PipeCreated
        • 0xb19e:$s5: IClientLoggingHost
        • 0x23c62:$s5: IClientLoggingHost
        Click to see the 66 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\UCDR562uYv.exe, ProcessId: 7060, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp483E.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp483E.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\UCDR562uYv.exe' , ParentImage: C:\Users\user\Desktop\UCDR562uYv.exe, ParentProcessId: 6804, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp483E.tmp', ProcessId: 7000

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000005.00000002.602748290.0000000004189000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2e8224ea-0d1f-4740-8aea-f16b1e97c433", "Group": "GODSPOWER", "Domain1": "kene3210.ddns.net", "Domain2": "127.0.0.1", "Port": 3210, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.599662311.0000000003181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.384087909.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.349423394.0000000004306000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.598230580.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.396942381.0000000003251000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.347500177.0000000003F51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.397040286.0000000004259000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.602748290.0000000004189000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6440, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: UCDR562uYv.exe PID: 7060, type: MEMORY
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cff6c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41d4595.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cff6c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cb136.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.480d868.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429ff6c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.44bd868.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.46f1de8.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.44bd868.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429b136.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.42a4595.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.480d868.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429ff6c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.43a1de8.2.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\lRvvjxua.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: UCDR562uYv.exeJoe Sandbox ML: detected
        Source: 5.2.UCDR562uYv.exe.62b0000.11.unpackAvira: Label: TR/NanoCore.fadte
        Source: 5.2.UCDR562uYv.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: UCDR562uYv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: UCDR562uYv.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: w\Windows\System.pdb' source: UCDR562uYv.exe, 00000005.00000002.604305938.000000000640C000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: kene3210.ddns.net
        Source: Malware configuration extractorURLs: 127.0.0.1
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: kene3210.ddns.net
        Source: unknownDNS traffic detected: query: kene3210.ddns.net replaycode: Name error (3)
        Source: unknownDNS traffic detected: queries for: kene3210.ddns.net
        Source: UCDR562uYv.exe, 00000000.00000002.344576426.0000000002F51000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.382464682.00000000032A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: UCDR562uYv.exe, 00000000.00000002.343975052.0000000001290000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: UCDR562uYv.exe, 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.599662311.0000000003181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.384087909.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.349423394.0000000004306000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.598230580.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.396942381.0000000003251000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.347500177.0000000003F51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.397040286.0000000004259000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.602748290.0000000004189000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6440, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: UCDR562uYv.exe PID: 7060, type: MEMORY
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cff6c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41d4595.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cff6c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cb136.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.480d868.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429ff6c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.44bd868.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.46f1de8.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.44bd868.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429b136.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.42a4595.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.480d868.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429ff6c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.43a1de8.2.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.384087909.00000000042A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.384087909.00000000042A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.349423394.0000000004306000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.349423394.0000000004306000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.598230580.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.598230580.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.604092482.0000000005A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.396942381.0000000003251000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.347500177.0000000003F51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.347500177.0000000003F51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.397040286.0000000004259000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.602748290.0000000004189000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6440, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6440, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: UCDR562uYv.exe PID: 7060, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: UCDR562uYv.exe PID: 7060, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.UCDR562uYv.exe.41cff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.UCDR562uYv.exe.41d4595.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.UCDR562uYv.exe.41cff6c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.UCDR562uYv.exe.41cb136.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.UCDR562uYv.exe.41cb136.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.32b965c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.480d868.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.480d868.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.UCDR562uYv.exe.62b4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.UCDR562uYv.exe.5a90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.429ff6c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.UCDR562uYv.exe.62b0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.UCDR562uYv.exe.44bd868.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.UCDR562uYv.exe.44bd868.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.46f1de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.46f1de8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.UCDR562uYv.exe.44bd868.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.UCDR562uYv.exe.44bd868.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.429b136.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.429b136.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.UCDR562uYv.exe.62b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.42a4595.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.480d868.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.480d868.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.429ff6c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.UCDR562uYv.exe.43a1de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.UCDR562uYv.exe.43a1de8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.UCDR562uYv.exe.31acaa0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\UCDR562uYv.exeCode function: 0_2_0153E2D8
        Source: C:\Users\user\Desktop\UCDR562uYv.exeCode function: 0_2_0153E2C8
        Source: C:\Users\user\Desktop\UCDR562uYv.exeCode function: 0_2_0153BFE4
        Source: C:\Users\user\Desktop\UCDR562uYv.exeCode function: 0_2_02F1AD90
        Source: C:\Users\user\Desktop\UCDR562uYv.exeCode function: 0_2_02F1F330
        Source: C:\Users\user\Desktop\UCDR562uYv.exeCode function: 5_2_02FBE480
        Source: C:\Users\user\Desktop\UCDR562uYv.exeCode function: 5_2_02FBE471
        Source: C:\Users\user\Desktop\UCDR562uYv.exeCode function: 5_2_02FBBBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_016BE2C8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_016BE2D8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_016BBFE4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0155E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0155E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0155BBD4
        Source: UCDR562uYv.exeBinary or memory string: OriginalFilename vs UCDR562uYv.exe
        Source: UCDR562uYv.exe, 00000000.00000002.354537675.0000000007490000.00000002.00000001.sdmpBinary or memory string: originalfilename vs UCDR562uYv.exe
        Source: UCDR562uYv.exe, 00000000.00000002.354537675.0000000007490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs UCDR562uYv.exe
        Source: UCDR562uYv.exe, 00000000.00000002.353589455.00000000073A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs UCDR562uYv.exe
        Source: UCDR562uYv.exe, 00000000.00000002.343975052.0000000001290000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs UCDR562uYv.exe
        Source: UCDR562uYv.exeBinary or memory string: OriginalFilename vs UCDR562uYv.exe
        Source: UCDR562uYv.exe, 00000005.00000002.599662311.0000000003181000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs UCDR562uYv.exe
        Source: UCDR562uYv.exe, 00000005.00000002.604584536.0000000006C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs UCDR562uYv.exe
        Source: UCDR562uYv.exe, 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs UCDR562uYv.exe
        Source: UCDR562uYv.exe, 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs UCDR562uYv.exe
        Source: UCDR562uYv.exe, 00000005.00000002.604152037.00000000061B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs UCDR562uYv.exe
        Source: UCDR562uYv.exeBinary or memory string: OriginalFilenameir vs UCDR562uYv.exe
        Source: UCDR562uYv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.384087909.00000000042A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.384087909.00000000042A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.349423394.0000000004306000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.349423394.0000000004306000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.598230580.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.598230580.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.604092482.0000000005A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.604092482.0000000005A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.396942381.0000000003251000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.347500177.0000000003F51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.347500177.0000000003F51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.397040286.0000000004259000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.602748290.0000000004189000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6440, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6440, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: UCDR562uYv.exe PID: 7060, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: UCDR562uYv.exe PID: 7060, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.UCDR562uYv.exe.41cff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.UCDR562uYv.exe.41cff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.UCDR562uYv.exe.41d4595.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.UCDR562uYv.exe.41d4595.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.UCDR562uYv.exe.41cff6c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.UCDR562uYv.exe.41cff6c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.UCDR562uYv.exe.41cb136.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.UCDR562uYv.exe.41cb136.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.UCDR562uYv.exe.41cb136.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.32b965c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.32b965c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.dhcpmon.exe.480d868.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.480d868.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.dhcpmon.exe.480d868.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.UCDR562uYv.exe.62b4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.UCDR562uYv.exe.62b4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.UCDR562uYv.exe.5a90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.UCDR562uYv.exe.5a90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.429ff6c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.429ff6c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.UCDR562uYv.exe.62b0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.UCDR562uYv.exe.62b0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.UCDR562uYv.exe.44bd868.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.UCDR562uYv.exe.44bd868.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.UCDR562uYv.exe.44bd868.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.46f1de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.46f1de8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.UCDR562uYv.exe.44bd868.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.UCDR562uYv.exe.44bd868.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.UCDR562uYv.exe.44bd868.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.429b136.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.429b136.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.429b136.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.UCDR562uYv.exe.62b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.UCDR562uYv.exe.62b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.42a4595.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.42a4595.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.480d868.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.480d868.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.dhcpmon.exe.480d868.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.429ff6c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.429ff6c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.UCDR562uYv.exe.43a1de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.UCDR562uYv.exe.43a1de8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.UCDR562uYv.exe.31acaa0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.UCDR562uYv.exe.31acaa0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: UCDR562uYv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: lRvvjxua.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@12/8@45/2
        Source: C:\Users\user\Desktop\UCDR562uYv.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\UCDR562uYv.exeFile created: C:\Users\user\AppData\Roaming\lRvvjxua.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\ILfFylcPTjtwjeosyIRebRSmC
        Source: C:\Users\user\Desktop\UCDR562uYv.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{2e8224ea-0d1f-4740-8aea-f16b1e97c433}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_01
        Source: C:\Users\user\Desktop\UCDR562uYv.exeFile created: C:\Users\user\AppData\Local\Temp\tmp483E.tmpJump to behavior
        Source: UCDR562uYv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\UCDR562uYv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\UCDR562uYv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\UCDR562uYv.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\UCDR562uYv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\UCDR562uYv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\UCDR562uYv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\UCDR562uYv.exeFile read: C:\Users\user\Desktop\UCDR562uYv.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\UCDR562uYv.exe 'C:\Users\user\Desktop\UCDR562uYv.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp483E.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\UCDR562uYv.exe {path}
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp86BE.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp483E.tmp'
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess created: C:\Users\user\Desktop\UCDR562uYv.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp86BE.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\UCDR562uYv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\UCDR562uYv.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: UCDR562uYv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: UCDR562uYv.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: UCDR562uYv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: w\Windows\System.pdb' source: UCDR562uYv.exe, 00000005.00000002.604305938.000000000640C000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: UCDR562uYv.exe, Game.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: lRvvjxua.exe.0.dr, Game.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.UCDR562uYv.exe.a30000.0.unpack, Game.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.UCDR562uYv.exe.a30000.0.unpack, Game.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: dhcpmon.exe.5.dr, Game.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.UCDR562uYv.exe.c80000.1.unpack, Game.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.UCDR562uYv.exe.c80000.0.unpack, Game.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 8.0.dhcpmon.exe.ea0000.0.unpack, Game.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 8.2.dhcpmon.exe.ea0000.0.unpack, Game.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.dhcpmon.exe.dd0000.0.unpack, Game.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.dhcpmon.exe.dd0000.1.unpack, Game.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Binary contains a suspicious time stampShow sources
        Source: initial sampleStatic PE information: 0xEE6CE2B9 [Wed Oct 3 14:35:37 2096 UTC]
        Source: C:\Users\user\Desktop\UCDR562uYv.exeCode function: 0_2_00A34288 push es; ret
        Source: C:\Users\user\Desktop\UCDR562uYv.exeCode function: 5_2_00C84288 push es; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00EA4288 push es; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00DD4288 push es; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.9374544928
        Source: initial sampleStatic PE information: section name: .text entropy: 7.9374544928
        Source: initial sampleStatic PE information: section name: .text entropy: 7.9374544928
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.UCDR562uYv.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\UCDR562uYv.exeFile created: C:\Users\user\AppData\Roaming\lRvvjxua.exeJump to dropped file
        Source: C:\Users\user\Desktop\UCDR562uYv.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp483E.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\UCDR562uYv.exeFile opened: C:\Users\user\Desktop\UCDR562uYv.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: UCDR562uYv.exe, 00000000.00000002.344635376.0000000002F90000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.382597740.00000000032E0000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: UCDR562uYv.exe, 00000000.00000002.344635376.0000000002F90000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.382597740.00000000032E0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\UCDR562uYv.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\UCDR562uYv.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\UCDR562uYv.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\UCDR562uYv.exeWindow / User API: threadDelayed 2210
        Source: C:\Users\user\Desktop\UCDR562uYv.exeWindow / User API: threadDelayed 1668
        Source: C:\Users\user\Desktop\UCDR562uYv.exeWindow / User API: threadDelayed 2278
        Source: C:\Users\user\Desktop\UCDR562uYv.exeWindow / User API: threadDelayed 7055
        Source: C:\Users\user\Desktop\UCDR562uYv.exeWindow / User API: foregroundWindowGot 875
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWindow / User API: threadDelayed 1327
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWindow / User API: threadDelayed 3621
        Source: C:\Users\user\Desktop\UCDR562uYv.exe TID: 6932Thread sleep time: -8301034833169293s >= -30000s
        Source: C:\Users\user\Desktop\UCDR562uYv.exe TID: 6936Thread sleep count: 2210 > 30
        Source: C:\Users\user\Desktop\UCDR562uYv.exe TID: 6808Thread sleep time: -41500s >= -30000s
        Source: C:\Users\user\Desktop\UCDR562uYv.exe TID: 6964Thread sleep count: 1668 > 30
        Source: C:\Users\user\Desktop\UCDR562uYv.exe TID: 6888Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\UCDR562uYv.exe TID: 1144Thread sleep time: -22136092888451448s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6128Thread sleep time: -9223372036854770s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 348Thread sleep count: 1327 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 348Thread sleep count: 3621 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1724Thread sleep time: -41500s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2976Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5716Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: dhcpmon.exe, 00000008.00000002.382705725.0000000003325000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: UCDR562uYv.exe, 00000005.00000002.604584536.0000000006C70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: dhcpmon.exe, 00000008.00000002.382705725.0000000003325000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: dhcpmon.exe, 00000008.00000002.382705725.0000000003325000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000008.00000002.382705725.0000000003325000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: dhcpmon.exe, 00000008.00000002.382597740.00000000032E0000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: UCDR562uYv.exe, 00000005.00000002.604584536.0000000006C70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: UCDR562uYv.exe, 00000005.00000002.604584536.0000000006C70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: dhcpmon.exe, 00000008.00000002.382597740.00000000032E0000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: dhcpmon.exe, 00000008.00000002.382597740.00000000032E0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: dhcpmon.exe, 00000008.00000002.382705725.0000000003325000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: dhcpmon.exe, 00000008.00000002.382597740.00000000032E0000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: dhcpmon.exe, 00000008.00000002.382705725.0000000003325000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
        Source: UCDR562uYv.exe, 00000005.00000002.604584536.0000000006C70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\UCDR562uYv.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp483E.tmp'
        Source: C:\Users\user\Desktop\UCDR562uYv.exeProcess created: C:\Users\user\Desktop\UCDR562uYv.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp86BE.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: UCDR562uYv.exe, 00000005.00000002.599733164.00000000031EC000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: UCDR562uYv.exe, 00000005.00000002.599516300.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: UCDR562uYv.exe, 00000005.00000002.599516300.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: UCDR562uYv.exe, 00000005.00000002.600334158.0000000003352000.00000004.00000001.sdmpBinary or memory string: Program Manager8f%
        Source: UCDR562uYv.exe, 00000005.00000002.599516300.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
        Source: UCDR562uYv.exe, 00000005.00000002.599516300.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: UCDR562uYv.exe, 00000005.00000002.604135824.00000000061AB000.00000004.00000001.sdmpBinary or memory string: Program Manager,^5
        Source: C:\Users\user\Desktop\UCDR562uYv.exeQueries volume information: C:\Users\user\Desktop\UCDR562uYv.exe VolumeInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeQueries volume information: C:\Users\user\Desktop\UCDR562uYv.exe VolumeInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\UCDR562uYv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.599662311.0000000003181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.384087909.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.349423394.0000000004306000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.598230580.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.396942381.0000000003251000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.347500177.0000000003F51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.397040286.0000000004259000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.602748290.0000000004189000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6440, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: UCDR562uYv.exe PID: 7060, type: MEMORY
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cff6c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41d4595.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cff6c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cb136.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.480d868.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429ff6c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.44bd868.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.46f1de8.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.44bd868.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429b136.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.42a4595.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.480d868.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429ff6c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.43a1de8.2.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: UCDR562uYv.exe, 00000005.00000002.599662311.0000000003181000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: UCDR562uYv.exe, 00000005.00000002.599662311.0000000003181000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000B.00000002.396942381.0000000003251000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.599662311.0000000003181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.384087909.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.349423394.0000000004306000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.598230580.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.396942381.0000000003251000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.347500177.0000000003F51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.397040286.0000000004259000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.602748290.0000000004189000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6440, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: UCDR562uYv.exe PID: 7060, type: MEMORY
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cff6c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41d4595.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cff6c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.41cb136.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.480d868.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429ff6c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.44bd868.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.46f1de8.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.44bd868.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429b136.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.62b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.42a4595.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.UCDR562uYv.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.480d868.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.429ff6c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UCDR562uYv.exe.43a1de8.2.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection12Masquerading2Input Capture21Security Software Discovery111Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356809 Sample: UCDR562uYv.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 40 kene3210.ddns.net 2->40 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 11 other signatures 2->54 8 UCDR562uYv.exe 6 2->8         started        11 dhcpmon.exe 5 2->11         started        signatures3 process4 file5 28 C:\Users\user\AppData\Roaming\lRvvjxua.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\tmp483E.tmp, XML 8->30 dropped 32 C:\Users\user\AppData\...\UCDR562uYv.exe.log, ASCII 8->32 dropped 13 UCDR562uYv.exe 1 9 8->13         started        18 schtasks.exe 1 8->18         started        20 schtasks.exe 1 11->20         started        22 dhcpmon.exe 2 11->22         started        process6 dnsIp7 42 127.0.0.1 unknown unknown 13->42 44 kene3210.ddns.net 13->44 46 192.168.2.1 unknown unknown 13->46 34 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->34 dropped 36 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 13->36 dropped 38 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->38 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->56 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        file8 signatures9 process10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        UCDR562uYv.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\lRvvjxua.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        5.2.UCDR562uYv.exe.62b0000.11.unpack100%AviraTR/NanoCore.fadteDownload File
        5.2.UCDR562uYv.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        kene3210.ddns.net0%Avira URL Cloudsafe
        127.0.0.10%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        kene3210.ddns.net
        unknown
        unknowntrue
          unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          kene3210.ddns.nettrue
          • Avira URL Cloud: safe
          unknown
          127.0.0.1true
          • Avira URL Cloud: safe
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUCDR562uYv.exe, 00000000.00000002.344576426.0000000002F51000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.382464682.00000000032A1000.00000004.00000001.sdmpfalse
            high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious

            Private

            IP
            192.168.2.1
            127.0.0.1

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:356809
            Start date:23.02.2021
            Start time:17:06:23
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 10m 53s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:UCDR562uYv.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:28
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@12/8@45/2
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 13.64.90.137, 40.88.32.150, 23.211.6.115, 104.42.151.234, 168.61.161.212, 52.147.198.201, 104.43.193.48, 13.88.21.125, 51.11.168.160, 2.20.142.209, 2.20.142.210, 51.103.5.159, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 184.30.24.56, 51.104.139.180
            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            17:07:16API Interceptor1005x Sleep call for process: UCDR562uYv.exe modified
            17:07:22AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            17:07:33API Interceptor33x Sleep call for process: dhcpmon.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Process:C:\Users\user\Desktop\UCDR562uYv.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):820224
            Entropy (8bit):7.935160892507609
            Encrypted:false
            SSDEEP:12288:czXzZns2m0eCQQeD69UZLvxCyqmexnN2dMIrCREQlq0+115aH2Ia60LHHjMR:czXzlZTQ1W9UZNCLxNumRbq0sKS
            MD5:CF3CBCF8EED33D5DD9778C4914B21FD9
            SHA1:F64C016FDEA3BBD98964BDFC2FDA33D7AABA1361
            SHA-256:B9EBCDD39A9E00E766DAFBF2EA752B7310D179F65B0D989C402CF45CF3EFC321
            SHA-512:FF4FB2D3A349BCAC2027AC92D18FF44DD3CF46BDD128C4F6FB0FC86EE6A36FE7CFFE61159E4C53EFDC2104785C0CBDE68BA4D34E1DAB55E6F2F54C4B3B83C9F6
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:low
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....l...............0..z............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text... x... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H........>..."......Q....`...6...........................................0..H........(......."....".....sU...}....."....".....sU...}......}.....~....k}....*.0..}.........{......,#...{.....{....(W...}......(......+N..~....k}......o;...oK...o[....o;...oK...o]..."...?~/...kZY~....kY.sU...}.....*....0..I........(....s........{....o[...~....kY.{....o]...~....kY.~....Zk.~....Zko.....*....0............{....o[...~....kX"..pAX~$...k....,...{....".....{....o[...Zo\......{....o[...~....
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
            Process:C:\Users\user\Desktop\UCDR562uYv.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Reputation:high, very likely benign file
            Preview: [ZoneTransfer]....ZoneId=0
            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UCDR562uYv.exe.log
            Process:C:\Users\user\Desktop\UCDR562uYv.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1301
            Entropy (8bit):5.345637324625647
            Encrypted:false
            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
            MD5:6C42AAF2F2FABAD2BAB70543AE48CEDB
            SHA1:8552031F83C078FE1C035191A32BA43261A63DA9
            SHA-256:51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
            SHA-512:014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
            Malicious:true
            Reputation:moderate, very likely benign file
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1301
            Entropy (8bit):5.345637324625647
            Encrypted:false
            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
            MD5:6C42AAF2F2FABAD2BAB70543AE48CEDB
            SHA1:8552031F83C078FE1C035191A32BA43261A63DA9
            SHA-256:51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
            SHA-512:014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
            C:\Users\user\AppData\Local\Temp\tmp483E.tmp
            Process:C:\Users\user\Desktop\UCDR562uYv.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1653
            Entropy (8bit):5.1561818136292406
            Encrypted:false
            SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Dtn:cbha7JlNQV/rydbz9I3YODOLNdq3n
            MD5:FCBA3D1338C2D43D4E72F9CBAF773762
            SHA1:B6BC93238A70C344414AB57444036D709C01D60F
            SHA-256:DB223B21CB6D8D57F5AB1D29B7723287D5F7C8C18DE6F1AADF370C7139C3A181
            SHA-512:C2F608DFB37D0221B2E4B8A801248034E65B2B453680199B1BD88A57DDDA61FAE7148C6DA2E4C89A2FE511AC81D312A8BAC3F7896C09D486592E9DC76BE059B2
            Malicious:true
            Reputation:low
            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
            C:\Users\user\AppData\Local\Temp\tmp86BE.tmp
            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1653
            Entropy (8bit):5.1561818136292406
            Encrypted:false
            SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Dtn:cbha7JlNQV/rydbz9I3YODOLNdq3n
            MD5:FCBA3D1338C2D43D4E72F9CBAF773762
            SHA1:B6BC93238A70C344414AB57444036D709C01D60F
            SHA-256:DB223B21CB6D8D57F5AB1D29B7723287D5F7C8C18DE6F1AADF370C7139C3A181
            SHA-512:C2F608DFB37D0221B2E4B8A801248034E65B2B453680199B1BD88A57DDDA61FAE7148C6DA2E4C89A2FE511AC81D312A8BAC3F7896C09D486592E9DC76BE059B2
            Malicious:false
            Reputation:low
            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Process:C:\Users\user\Desktop\UCDR562uYv.exe
            File Type:Non-ISO extended-ASCII text, with no line terminators
            Category:dropped
            Size (bytes):8
            Entropy (8bit):2.75
            Encrypted:false
            SSDEEP:3:I:I
            MD5:FE414FB2AECE1D020A3088145D7022DF
            SHA1:0F5B246B3615A1D85AAFAE3B177E7051CB8500E3
            SHA-256:80699AA482EC36FAF3CA7DEC15E7FC1903A333C8B84E4543E05CC304DA52BB94
            SHA-512:C44E60FE8A1B912771D040DA430954FD13CB2905C46CFF00B4337D87E11473B1E8FEAB0ADB805F7566B859385411E473594A28C326EEA2F4D583C29F2D60DDCA
            Malicious:true
            Preview: FAV.`..H
            C:\Users\user\AppData\Roaming\lRvvjxua.exe
            Process:C:\Users\user\Desktop\UCDR562uYv.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):820224
            Entropy (8bit):7.935160892507609
            Encrypted:false
            SSDEEP:12288:czXzZns2m0eCQQeD69UZLvxCyqmexnN2dMIrCREQlq0+115aH2Ia60LHHjMR:czXzlZTQ1W9UZNCLxNumRbq0sKS
            MD5:CF3CBCF8EED33D5DD9778C4914B21FD9
            SHA1:F64C016FDEA3BBD98964BDFC2FDA33D7AABA1361
            SHA-256:B9EBCDD39A9E00E766DAFBF2EA752B7310D179F65B0D989C402CF45CF3EFC321
            SHA-512:FF4FB2D3A349BCAC2027AC92D18FF44DD3CF46BDD128C4F6FB0FC86EE6A36FE7CFFE61159E4C53EFDC2104785C0CBDE68BA4D34E1DAB55E6F2F54C4B3B83C9F6
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....l...............0..z............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text... x... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H........>..."......Q....`...6...........................................0..H........(......."....".....sU...}....."....".....sU...}......}.....~....k}....*.0..}.........{......,#...{.....{....(W...}......(......+N..~....k}......o;...oK...o[....o;...oK...o]..."...?~/...kZY~....kY.sU...}.....*....0..I........(....s........{....o[...~....kY.{....o]...~....kY.~....Zk.~....Zko.....*....0............{....o[...~....kX"..pAX~$...k....,...{....".....{....o[...Zo\......{....o[...~....

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.935160892507609
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Win16/32 Executable Delphi generic (2074/23) 0.01%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:UCDR562uYv.exe
            File size:820224
            MD5:cf3cbcf8eed33d5dd9778c4914b21fd9
            SHA1:f64c016fdea3bbd98964bdfc2fda33d7aaba1361
            SHA256:b9ebcdd39a9e00e766dafbf2ea752b7310d179f65b0d989c402cf45cf3efc321
            SHA512:ff4fb2d3a349bcac2027ac92d18ff44dd3cf46bdd128c4f6fb0fc86ee6a36fe7cffe61159e4c53efdc2104785c0cbde68ba4d34e1dab55e6f2f54c4b3b83c9f6
            SSDEEP:12288:czXzZns2m0eCQQeD69UZLvxCyqmexnN2dMIrCREQlq0+115aH2Ia60LHHjMR:czXzlZTQ1W9UZNCLxNumRbq0sKS
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....l...............0..z............... ........@.. ....................................@................................

            File Icon

            Icon Hash:00828e8e8686b000

            Static PE Info

            General

            Entrypoint:0x4c981a
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0xEE6CE2B9 [Wed Oct 3 14:35:37 2096 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v4.0.30319
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xc97c80x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x594.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0xc97ac0x1c.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xc78200xc7a00False0.948410349483data7.9374544928IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0xca0000x5940x600False0.416666666667data4.05140003811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xcc0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_VERSION0xca0900x304data
            RT_MANIFEST0xca3a40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Version Infos

            DescriptionData
            Translation0x0000 0x04b0
            LegalCopyrightCopyright 2019
            Assembly Version1.0.0.0
            InternalName.exe
            FileVersion1.0.0.0
            CompanyName
            LegalTrademarks
            Comments
            ProductNamePongGame
            ProductVersion1.0.0.0
            FileDescriptionPongGame
            OriginalFilename.exe

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Feb 23, 2021 17:07:05.536439896 CET5837753192.168.2.68.8.8.8
            Feb 23, 2021 17:07:05.587552071 CET53583778.8.8.8192.168.2.6
            Feb 23, 2021 17:07:07.290556908 CET5507453192.168.2.68.8.8.8
            Feb 23, 2021 17:07:07.339354038 CET53550748.8.8.8192.168.2.6
            Feb 23, 2021 17:07:08.457015991 CET5451353192.168.2.68.8.8.8
            Feb 23, 2021 17:07:08.505650997 CET53545138.8.8.8192.168.2.6
            Feb 23, 2021 17:07:08.712867975 CET6204453192.168.2.68.8.8.8
            Feb 23, 2021 17:07:08.774600029 CET53620448.8.8.8192.168.2.6
            Feb 23, 2021 17:07:09.437637091 CET6379153192.168.2.68.8.8.8
            Feb 23, 2021 17:07:09.489430904 CET53637918.8.8.8192.168.2.6
            Feb 23, 2021 17:07:10.362874985 CET6426753192.168.2.68.8.8.8
            Feb 23, 2021 17:07:10.411917925 CET53642678.8.8.8192.168.2.6
            Feb 23, 2021 17:07:11.565485954 CET4944853192.168.2.68.8.8.8
            Feb 23, 2021 17:07:11.619564056 CET53494488.8.8.8192.168.2.6
            Feb 23, 2021 17:07:13.612128019 CET6034253192.168.2.68.8.8.8
            Feb 23, 2021 17:07:13.663732052 CET53603428.8.8.8192.168.2.6
            Feb 23, 2021 17:07:14.628809929 CET6134653192.168.2.68.8.8.8
            Feb 23, 2021 17:07:14.679582119 CET53613468.8.8.8192.168.2.6
            Feb 23, 2021 17:07:15.816450119 CET5177453192.168.2.68.8.8.8
            Feb 23, 2021 17:07:15.865339041 CET53517748.8.8.8192.168.2.6
            Feb 23, 2021 17:07:18.441236019 CET5602353192.168.2.68.8.8.8
            Feb 23, 2021 17:07:18.491549015 CET53560238.8.8.8192.168.2.6
            Feb 23, 2021 17:07:19.496987104 CET5838453192.168.2.68.8.8.8
            Feb 23, 2021 17:07:19.557121038 CET53583848.8.8.8192.168.2.6
            Feb 23, 2021 17:07:21.749881983 CET6026153192.168.2.68.8.8.8
            Feb 23, 2021 17:07:21.801907063 CET53602618.8.8.8192.168.2.6
            Feb 23, 2021 17:07:22.733513117 CET5606153192.168.2.68.8.8.8
            Feb 23, 2021 17:07:22.782121897 CET53560618.8.8.8192.168.2.6
            Feb 23, 2021 17:07:24.091799021 CET5833653192.168.2.68.8.8.8
            Feb 23, 2021 17:07:24.143296957 CET53583368.8.8.8192.168.2.6
            Feb 23, 2021 17:07:24.744170904 CET5378153192.168.2.68.8.8.8
            Feb 23, 2021 17:07:24.809181929 CET53537818.8.8.8192.168.2.6
            Feb 23, 2021 17:07:24.857589960 CET5406453192.168.2.68.8.4.4
            Feb 23, 2021 17:07:24.921189070 CET53540648.8.4.4192.168.2.6
            Feb 23, 2021 17:07:25.070523024 CET5281153192.168.2.68.8.8.8
            Feb 23, 2021 17:07:25.199552059 CET53528118.8.8.8192.168.2.6
            Feb 23, 2021 17:07:29.333532095 CET5529953192.168.2.68.8.8.8
            Feb 23, 2021 17:07:29.393665075 CET53552998.8.8.8192.168.2.6
            Feb 23, 2021 17:07:29.421070099 CET6374553192.168.2.68.8.4.4
            Feb 23, 2021 17:07:29.481549025 CET53637458.8.4.4192.168.2.6
            Feb 23, 2021 17:07:29.498599052 CET5005553192.168.2.68.8.8.8
            Feb 23, 2021 17:07:29.550241947 CET53500558.8.8.8192.168.2.6
            Feb 23, 2021 17:07:31.474987984 CET6137453192.168.2.68.8.8.8
            Feb 23, 2021 17:07:31.527160883 CET53613748.8.8.8192.168.2.6
            Feb 23, 2021 17:07:33.832477093 CET5033953192.168.2.68.8.8.8
            Feb 23, 2021 17:07:33.893160105 CET53503398.8.8.8192.168.2.6
            Feb 23, 2021 17:07:33.941015005 CET6330753192.168.2.68.8.4.4
            Feb 23, 2021 17:07:33.998241901 CET53633078.8.4.4192.168.2.6
            Feb 23, 2021 17:07:34.048948050 CET4969453192.168.2.68.8.8.8
            Feb 23, 2021 17:07:34.112076998 CET5498253192.168.2.68.8.8.8
            Feb 23, 2021 17:07:34.112571955 CET53496948.8.8.8192.168.2.6
            Feb 23, 2021 17:07:34.163244009 CET53549828.8.8.8192.168.2.6
            Feb 23, 2021 17:07:35.108508110 CET5001053192.168.2.68.8.8.8
            Feb 23, 2021 17:07:35.157372952 CET53500108.8.8.8192.168.2.6
            Feb 23, 2021 17:07:36.159936905 CET6371853192.168.2.68.8.8.8
            Feb 23, 2021 17:07:36.210747957 CET53637188.8.8.8192.168.2.6
            Feb 23, 2021 17:07:37.036612034 CET6211653192.168.2.68.8.8.8
            Feb 23, 2021 17:07:37.086174965 CET53621168.8.8.8192.168.2.6
            Feb 23, 2021 17:07:42.994801044 CET6381653192.168.2.68.8.8.8
            Feb 23, 2021 17:07:43.044852018 CET53638168.8.8.8192.168.2.6
            Feb 23, 2021 17:07:53.348172903 CET5501453192.168.2.68.8.8.8
            Feb 23, 2021 17:07:53.410068989 CET53550148.8.8.8192.168.2.6
            Feb 23, 2021 17:07:53.441025019 CET6220853192.168.2.68.8.4.4
            Feb 23, 2021 17:07:53.489680052 CET53622088.8.4.4192.168.2.6
            Feb 23, 2021 17:07:53.530246973 CET5757453192.168.2.68.8.8.8
            Feb 23, 2021 17:07:53.582711935 CET53575748.8.8.8192.168.2.6
            Feb 23, 2021 17:07:57.711498976 CET5181853192.168.2.68.8.8.8
            Feb 23, 2021 17:07:57.773730993 CET53518188.8.8.8192.168.2.6
            Feb 23, 2021 17:07:57.802349091 CET5662853192.168.2.68.8.4.4
            Feb 23, 2021 17:07:57.853434086 CET53566288.8.4.4192.168.2.6
            Feb 23, 2021 17:07:57.914513111 CET6077853192.168.2.68.8.8.8
            Feb 23, 2021 17:07:57.973037004 CET53607788.8.8.8192.168.2.6
            Feb 23, 2021 17:08:00.737786055 CET5379953192.168.2.68.8.8.8
            Feb 23, 2021 17:08:00.795958042 CET53537998.8.8.8192.168.2.6
            Feb 23, 2021 17:08:02.050817013 CET5468353192.168.2.68.8.8.8
            Feb 23, 2021 17:08:02.110687017 CET53546838.8.8.8192.168.2.6
            Feb 23, 2021 17:08:02.114079952 CET5932953192.168.2.68.8.4.4
            Feb 23, 2021 17:08:02.172787905 CET53593298.8.4.4192.168.2.6
            Feb 23, 2021 17:08:02.210747957 CET6402153192.168.2.68.8.8.8
            Feb 23, 2021 17:08:02.268100977 CET53640218.8.8.8192.168.2.6
            Feb 23, 2021 17:08:02.327007055 CET5612953192.168.2.68.8.8.8
            Feb 23, 2021 17:08:02.378273010 CET53561298.8.8.8192.168.2.6
            Feb 23, 2021 17:08:05.620502949 CET5817753192.168.2.68.8.8.8
            Feb 23, 2021 17:08:05.696355104 CET53581778.8.8.8192.168.2.6
            Feb 23, 2021 17:08:06.283384085 CET5070053192.168.2.68.8.8.8
            Feb 23, 2021 17:08:06.340379953 CET53507008.8.8.8192.168.2.6
            Feb 23, 2021 17:08:07.008158922 CET5406953192.168.2.68.8.8.8
            Feb 23, 2021 17:08:07.123744011 CET53540698.8.8.8192.168.2.6
            Feb 23, 2021 17:08:07.620605946 CET6117853192.168.2.68.8.8.8
            Feb 23, 2021 17:08:07.680356026 CET53611788.8.8.8192.168.2.6
            Feb 23, 2021 17:08:08.533556938 CET5701753192.168.2.68.8.8.8
            Feb 23, 2021 17:08:08.594821930 CET53570178.8.8.8192.168.2.6
            Feb 23, 2021 17:08:09.640419960 CET5632753192.168.2.68.8.8.8
            Feb 23, 2021 17:08:09.689125061 CET53563278.8.8.8192.168.2.6
            Feb 23, 2021 17:08:09.958806038 CET5024353192.168.2.68.8.8.8
            Feb 23, 2021 17:08:10.033878088 CET53502438.8.8.8192.168.2.6
            Feb 23, 2021 17:08:11.465976954 CET6205553192.168.2.68.8.8.8
            Feb 23, 2021 17:08:11.527086020 CET53620558.8.8.8192.168.2.6
            Feb 23, 2021 17:08:12.865911007 CET6124953192.168.2.68.8.8.8
            Feb 23, 2021 17:08:12.916166067 CET53612498.8.8.8192.168.2.6
            Feb 23, 2021 17:08:13.867964983 CET6525253192.168.2.68.8.8.8
            Feb 23, 2021 17:08:13.918304920 CET53652528.8.8.8192.168.2.6
            Feb 23, 2021 17:08:14.662750006 CET6436753192.168.2.68.8.8.8
            Feb 23, 2021 17:08:14.720032930 CET53643678.8.8.8192.168.2.6
            Feb 23, 2021 17:08:17.284904957 CET5506653192.168.2.68.8.8.8
            Feb 23, 2021 17:08:17.347429037 CET53550668.8.8.8192.168.2.6
            Feb 23, 2021 17:08:21.794615984 CET6021153192.168.2.68.8.8.8
            Feb 23, 2021 17:08:21.844912052 CET53602118.8.8.8192.168.2.6
            Feb 23, 2021 17:08:21.848858118 CET5657053192.168.2.68.8.4.4
            Feb 23, 2021 17:08:21.899621010 CET53565708.8.4.4192.168.2.6
            Feb 23, 2021 17:08:22.043221951 CET5845453192.168.2.68.8.8.8
            Feb 23, 2021 17:08:22.100816965 CET53584548.8.8.8192.168.2.6
            Feb 23, 2021 17:08:26.147032976 CET5518053192.168.2.68.8.8.8
            Feb 23, 2021 17:08:26.204144955 CET53551808.8.8.8192.168.2.6
            Feb 23, 2021 17:08:26.210582018 CET5872153192.168.2.68.8.4.4
            Feb 23, 2021 17:08:26.262346029 CET53587218.8.4.4192.168.2.6
            Feb 23, 2021 17:08:26.447410107 CET5769153192.168.2.68.8.8.8
            Feb 23, 2021 17:08:26.512365103 CET53576918.8.8.8192.168.2.6
            Feb 23, 2021 17:08:30.565412045 CET5294353192.168.2.68.8.8.8
            Feb 23, 2021 17:08:30.624352932 CET53529438.8.8.8192.168.2.6
            Feb 23, 2021 17:08:30.700958967 CET5948953192.168.2.68.8.4.4
            Feb 23, 2021 17:08:30.752542973 CET53594898.8.4.4192.168.2.6
            Feb 23, 2021 17:08:30.804845095 CET6402253192.168.2.68.8.8.8
            Feb 23, 2021 17:08:30.861898899 CET53640228.8.8.8192.168.2.6
            Feb 23, 2021 17:08:44.132929087 CET6002353192.168.2.68.8.8.8
            Feb 23, 2021 17:08:44.191557884 CET53600238.8.8.8192.168.2.6
            Feb 23, 2021 17:08:49.882972002 CET5719353192.168.2.68.8.8.8
            Feb 23, 2021 17:08:49.934500933 CET53571938.8.8.8192.168.2.6
            Feb 23, 2021 17:08:50.045794964 CET5024853192.168.2.68.8.8.8
            Feb 23, 2021 17:08:50.100102901 CET53502488.8.8.8192.168.2.6
            Feb 23, 2021 17:08:50.103560925 CET6441353192.168.2.68.8.4.4
            Feb 23, 2021 17:08:50.153879881 CET53644138.8.4.4192.168.2.6
            Feb 23, 2021 17:08:50.245938063 CET6042953192.168.2.68.8.8.8
            Feb 23, 2021 17:08:50.308901072 CET53604298.8.8.8192.168.2.6
            Feb 23, 2021 17:08:52.084875107 CET6034553192.168.2.68.8.8.8
            Feb 23, 2021 17:08:52.140256882 CET53603458.8.8.8192.168.2.6
            Feb 23, 2021 17:08:54.377499104 CET5873053192.168.2.68.8.8.8
            Feb 23, 2021 17:08:54.426078081 CET53587308.8.8.8192.168.2.6
            Feb 23, 2021 17:08:54.448937893 CET5383053192.168.2.68.8.4.4
            Feb 23, 2021 17:08:54.511286974 CET53538308.8.4.4192.168.2.6
            Feb 23, 2021 17:08:54.559159994 CET5722653192.168.2.68.8.8.8
            Feb 23, 2021 17:08:54.607866049 CET53572268.8.8.8192.168.2.6
            Feb 23, 2021 17:08:58.703872919 CET5788053192.168.2.68.8.8.8
            Feb 23, 2021 17:08:58.766043901 CET53578808.8.8.8192.168.2.6
            Feb 23, 2021 17:08:58.803178072 CET6085053192.168.2.68.8.4.4
            Feb 23, 2021 17:08:58.853256941 CET53608508.8.4.4192.168.2.6
            Feb 23, 2021 17:08:58.889539957 CET5318753192.168.2.68.8.8.8
            Feb 23, 2021 17:08:58.946597099 CET53531878.8.8.8192.168.2.6
            Feb 23, 2021 17:09:18.081855059 CET5583053192.168.2.68.8.8.8
            Feb 23, 2021 17:09:18.132375002 CET53558308.8.8.8192.168.2.6
            Feb 23, 2021 17:09:18.138544083 CET5514553192.168.2.68.8.4.4
            Feb 23, 2021 17:09:18.192625999 CET53551458.8.4.4192.168.2.6
            Feb 23, 2021 17:09:18.249293089 CET6409153192.168.2.68.8.8.8
            Feb 23, 2021 17:09:18.298755884 CET53640918.8.8.8192.168.2.6
            Feb 23, 2021 17:09:22.310697079 CET5572853192.168.2.68.8.8.8
            Feb 23, 2021 17:09:22.370294094 CET53557288.8.8.8192.168.2.6
            Feb 23, 2021 17:09:22.370918989 CET5569453192.168.2.68.8.4.4
            Feb 23, 2021 17:09:22.430849075 CET53556948.8.4.4192.168.2.6
            Feb 23, 2021 17:09:22.432777882 CET5392653192.168.2.68.8.8.8
            Feb 23, 2021 17:09:22.483623028 CET53539268.8.8.8192.168.2.6
            Feb 23, 2021 17:09:26.499460936 CET6553153192.168.2.68.8.8.8
            Feb 23, 2021 17:09:26.561022043 CET53655318.8.8.8192.168.2.6
            Feb 23, 2021 17:09:26.561774015 CET6543753192.168.2.68.8.4.4
            Feb 23, 2021 17:09:26.613244057 CET53654378.8.4.4192.168.2.6
            Feb 23, 2021 17:09:26.616223097 CET5459053192.168.2.68.8.8.8
            Feb 23, 2021 17:09:26.664876938 CET53545908.8.8.8192.168.2.6

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Feb 23, 2021 17:07:24.744170904 CET192.168.2.68.8.8.80x9f4fStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:24.857589960 CET192.168.2.68.8.4.40x52e2Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:25.070523024 CET192.168.2.68.8.8.80xe424Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:29.333532095 CET192.168.2.68.8.8.80xc47eStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:29.421070099 CET192.168.2.68.8.4.40xf758Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:29.498599052 CET192.168.2.68.8.8.80x6d7cStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:33.832477093 CET192.168.2.68.8.8.80x151dStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:33.941015005 CET192.168.2.68.8.4.40x4a5bStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:34.048948050 CET192.168.2.68.8.8.80xcb8cStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:53.348172903 CET192.168.2.68.8.8.80x84cfStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:53.441025019 CET192.168.2.68.8.4.40x4a7cStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:53.530246973 CET192.168.2.68.8.8.80x6d7fStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:57.711498976 CET192.168.2.68.8.8.80xf21dStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:57.802349091 CET192.168.2.68.8.4.40x488fStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:57.914513111 CET192.168.2.68.8.8.80x51daStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:02.050817013 CET192.168.2.68.8.8.80x6778Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:02.114079952 CET192.168.2.68.8.4.40x5c7Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:02.210747957 CET192.168.2.68.8.8.80x6615Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:21.794615984 CET192.168.2.68.8.8.80xc3ccStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:21.848858118 CET192.168.2.68.8.4.40x1ea2Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:22.043221951 CET192.168.2.68.8.8.80x67b1Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:26.147032976 CET192.168.2.68.8.8.80xceb8Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:26.210582018 CET192.168.2.68.8.4.40xf683Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:26.447410107 CET192.168.2.68.8.8.80x4b3aStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:30.565412045 CET192.168.2.68.8.8.80x253Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:30.700958967 CET192.168.2.68.8.4.40xbbe3Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:30.804845095 CET192.168.2.68.8.8.80x60e3Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:50.045794964 CET192.168.2.68.8.8.80x91f7Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:50.103560925 CET192.168.2.68.8.4.40xed9fStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:50.245938063 CET192.168.2.68.8.8.80x6155Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:54.377499104 CET192.168.2.68.8.8.80x8d4aStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:54.448937893 CET192.168.2.68.8.4.40xc2a6Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:54.559159994 CET192.168.2.68.8.8.80xfa62Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:58.703872919 CET192.168.2.68.8.8.80x9eebStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:58.803178072 CET192.168.2.68.8.4.40x21cdStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:58.889539957 CET192.168.2.68.8.8.80x8dcStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:18.081855059 CET192.168.2.68.8.8.80xf0f9Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:18.138544083 CET192.168.2.68.8.4.40x8dd1Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:18.249293089 CET192.168.2.68.8.8.80x3894Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:22.310697079 CET192.168.2.68.8.8.80xdf0cStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:22.370918989 CET192.168.2.68.8.4.40x629cStandard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:22.432777882 CET192.168.2.68.8.8.80x4535Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:26.499460936 CET192.168.2.68.8.8.80xa039Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:26.561774015 CET192.168.2.68.8.4.40xf620Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:26.616223097 CET192.168.2.68.8.8.80x1517Standard query (0)kene3210.ddns.netA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Feb 23, 2021 17:07:24.809181929 CET8.8.8.8192.168.2.60x9f4fName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:24.921189070 CET8.8.4.4192.168.2.60x52e2Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:25.199552059 CET8.8.8.8192.168.2.60xe424Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:29.393665075 CET8.8.8.8192.168.2.60xc47eName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:29.481549025 CET8.8.4.4192.168.2.60xf758Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:29.550241947 CET8.8.8.8192.168.2.60x6d7cName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:33.893160105 CET8.8.8.8192.168.2.60x151dName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:33.998241901 CET8.8.4.4192.168.2.60x4a5bName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:34.112571955 CET8.8.8.8192.168.2.60xcb8cName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:53.410068989 CET8.8.8.8192.168.2.60x84cfName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:53.489680052 CET8.8.4.4192.168.2.60x4a7cName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:53.582711935 CET8.8.8.8192.168.2.60x6d7fName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:57.773730993 CET8.8.8.8192.168.2.60xf21dName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:57.853434086 CET8.8.4.4192.168.2.60x488fName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:07:57.973037004 CET8.8.8.8192.168.2.60x51daName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:02.110687017 CET8.8.8.8192.168.2.60x6778Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:02.172787905 CET8.8.4.4192.168.2.60x5c7Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:02.268100977 CET8.8.8.8192.168.2.60x6615Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:21.844912052 CET8.8.8.8192.168.2.60xc3ccName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:21.899621010 CET8.8.4.4192.168.2.60x1ea2Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:22.100816965 CET8.8.8.8192.168.2.60x67b1Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:26.204144955 CET8.8.8.8192.168.2.60xceb8Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:26.262346029 CET8.8.4.4192.168.2.60xf683Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:26.512365103 CET8.8.8.8192.168.2.60x4b3aName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:30.624352932 CET8.8.8.8192.168.2.60x253Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:30.752542973 CET8.8.4.4192.168.2.60xbbe3Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:30.861898899 CET8.8.8.8192.168.2.60x60e3Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:50.100102901 CET8.8.8.8192.168.2.60x91f7Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:50.153879881 CET8.8.4.4192.168.2.60xed9fName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:50.308901072 CET8.8.8.8192.168.2.60x6155Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:54.426078081 CET8.8.8.8192.168.2.60x8d4aName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:54.511286974 CET8.8.4.4192.168.2.60xc2a6Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:54.607866049 CET8.8.8.8192.168.2.60xfa62Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:58.766043901 CET8.8.8.8192.168.2.60x9eebName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:58.853256941 CET8.8.4.4192.168.2.60x21cdName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:08:58.946597099 CET8.8.8.8192.168.2.60x8dcName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:18.132375002 CET8.8.8.8192.168.2.60xf0f9Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:18.192625999 CET8.8.4.4192.168.2.60x8dd1Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:18.298755884 CET8.8.8.8192.168.2.60x3894Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:22.370294094 CET8.8.8.8192.168.2.60xdf0cName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:22.430849075 CET8.8.4.4192.168.2.60x629cName error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:22.483623028 CET8.8.8.8192.168.2.60x4535Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:26.561022043 CET8.8.8.8192.168.2.60xa039Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:26.613244057 CET8.8.4.4192.168.2.60xf620Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)
            Feb 23, 2021 17:09:26.664876938 CET8.8.8.8192.168.2.60x1517Name error (3)kene3210.ddns.netnonenoneA (IP address)IN (0x0001)

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            General

            Start time:17:07:14
            Start date:23/02/2021
            Path:C:\Users\user\Desktop\UCDR562uYv.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\UCDR562uYv.exe'
            Imagebase:0xa30000
            File size:820224 bytes
            MD5 hash:CF3CBCF8EED33D5DD9778C4914B21FD9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.349423394.0000000004306000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.349423394.0000000004306000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.349423394.0000000004306000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.347500177.0000000003F51000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.347500177.0000000003F51000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.347500177.0000000003F51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            General

            Start time:17:07:18
            Start date:23/02/2021
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp483E.tmp'
            Imagebase:0x13d0000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:17:07:18
            Start date:23/02/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff61de10000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:17:07:19
            Start date:23/02/2021
            Path:C:\Users\user\Desktop\UCDR562uYv.exe
            Wow64 process (32bit):true
            Commandline:{path}
            Imagebase:0xc80000
            File size:820224 bytes
            MD5 hash:CF3CBCF8EED33D5DD9778C4914B21FD9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.599662311.0000000003181000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.604263829.00000000062B0000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.598230580.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.598230580.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.598230580.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.604092482.0000000005A90000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.604092482.0000000005A90000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.602748290.0000000004189000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.602748290.0000000004189000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            General

            Start time:17:07:30
            Start date:23/02/2021
            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Wow64 process (32bit):true
            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
            Imagebase:0xea0000
            File size:820224 bytes
            MD5 hash:CF3CBCF8EED33D5DD9778C4914B21FD9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.384846526.0000000004656000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.384087909.00000000042A1000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.384087909.00000000042A1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.384087909.00000000042A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            Reputation:low

            General

            Start time:17:07:36
            Start date:23/02/2021
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lRvvjxua' /XML 'C:\Users\user\AppData\Local\Temp\tmp86BE.tmp'
            Imagebase:0x13d0000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:17:07:36
            Start date:23/02/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff61de10000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:17:07:37
            Start date:23/02/2021
            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Wow64 process (32bit):true
            Commandline:{path}
            Imagebase:0xdd0000
            File size:820224 bytes
            MD5 hash:CF3CBCF8EED33D5DD9778C4914B21FD9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.395887312.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.396942381.0000000003251000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.396942381.0000000003251000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.397040286.0000000004259000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.397040286.0000000004259000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Disassembly

            Code Analysis

            Reset < >