Loading ...

Play interactive tourEdit tour

Analysis Report R2ERChVU88T7UYn.exe

Overview

General Information

Sample Name:R2ERChVU88T7UYn.exe
Analysis ID:298787
MD5:ee2a62cc8929d4e237de6b33b32dd136
SHA1:50a8fab9e58926e4ad16320e680fdffb93421b64
SHA256:54deeaeed632cdef34ba67c7b879e8c88ad5d19675cd69e613f663e9bcb3c51f
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • R2ERChVU88T7UYn.exe (PID: 6748 cmdline: 'C:\Users\user\Desktop\R2ERChVU88T7UYn.exe' MD5: EE2A62CC8929D4E237DE6B33B32DD136)
    • schtasks.exe (PID: 768 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jNwuhxdjagB' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9EB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • R2ERChVU88T7UYn.exe (PID: 6900 cmdline: C:\Users\user\Desktop\R2ERChVU88T7UYn.exe MD5: EE2A62CC8929D4E237DE6B33B32DD136)
  • dhcpmon.exe (PID: 6808 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EE2A62CC8929D4E237DE6B33B32DD136)
    • schtasks.exe (PID: 6032 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jNwuhxdjagB' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD99.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 5008 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: EE2A62CC8929D4E237DE6B33B32DD136)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.231.113.86"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.926488934.00000000059D0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000003.00000002.926488934.00000000059D0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.926488934.00000000059D0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000A.00000002.729286057.0000000002D11000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000A.00000002.729286057.0000000002D11000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x69437:$a: NanoCore
      • 0x69490:$a: NanoCore
      • 0x694cd:$a: NanoCore
      • 0x69546:$a: NanoCore
      • 0x69499:$b: ClientPlugin
      • 0x694d6:$b: ClientPlugin
      • 0x69dd4:$b: ClientPlugin
      • 0x69de1:$b: ClientPlugin
      • 0x5f09a:$e: KeepAlive
      • 0x69921:$g: LogClientMessage
      • 0x698a1:$i: get_Connected
      • 0x5986d:$j: #=q
      • 0x5989d:$j: #=q
      • 0x598d9:$j: #=q
      • 0x59901:$j: #=q
      • 0x59931:$j: #=q
      • 0x59961:$j: #=q
      • 0x59991:$j: #=q
      • 0x599c1:$j: #=q
      • 0x599dd:$j: #=q
      • 0x59a0d:$j: #=q
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.R2ERChVU88T7UYn.exe.5620000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      3.2.R2ERChVU88T7UYn.exe.5620000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      10.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      10.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      10.2.dhcpmon.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 11 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\R2ERChVU88T7UYn.exe, ProcessId: 6900, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jNwuhxdjagB' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9EB.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jNwuhxdjagB' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9EB.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\R2ERChVU88T7UYn.exe' , ParentImage: C:\Users\user\Desktop\R2ERChVU88T7UYn.exe, ParentProcessId: 6748, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jNwuhxdjagB' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9EB.tmp', ProcessId: 768

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: R2ERChVU88T7UYn.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\jNwuhxdjagB.exeAvira: detection malicious, Label: TR/AD.Nanocore.citbj
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/AD.Nanocore.citbj
        Found malware configurationShow sources
        Source: R2ERChVU88T7UYn.exe.6900.3.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.231.113.86"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 47%
        Source: C:\Users\user\AppData\Roaming\jNwuhxdjagB.exeReversingLabs: Detection: 47%
        Multi AV Scanner detection for submitted fileShow sources
        Source: R2ERChVU88T7UYn.exeVirustotal: Detection: 33%Perma Link
        Source: R2ERChVU88T7UYn.exeReversingLabs: Detection: 47%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.926488934.00000000059D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.729286057.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.923639735.0000000003F59000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.921683370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.728221549.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.730926235.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.922814196.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.665841154.0000000003DF3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.714509974.0000000003ED4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: R2ERChVU88T7UYn.exe PID: 6900, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5008, type: MEMORY
        Source: Yara matchFile source: 10.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.R2ERChVU88T7UYn.exe.59d0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.R2ERChVU88T7UYn.exe.59d0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\jNwuhxdjagB.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: R2ERChVU88T7UYn.exeJoe Sandbox ML: detected
        Source: 10.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 4x nop then xor edx, edx0_2_04A4FEA0
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 4x nop then xor edx, edx0_2_04A4FE9E
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_04A47B48
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_04A47B50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then xor edx, edx5_2_04CBFE9F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then xor edx, edx5_2_04CBFEA0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]5_2_04CB7B4B
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]5_2_04CB7B50

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: mavennezeliora123.ddns.net
        Source: global trafficTCP traffic: 192.168.2.4:49750 -> 185.231.113.86:1604
        Source: global trafficTCP traffic: 192.168.2.4:49758 -> 185.140.53.68:1604
        Source: Joe Sandbox ViewASN Name: PTPEU PTPEU
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.231.113.86
        Source: unknownDNS traffic detected: queries for: mavennezeliora123.ddns.net
        Source: R2ERChVU88T7UYn.exe, 00000000.00000002.665109249.0000000002451000.00000004.00000001.sdmp, dhcpmon.exe, 00000005.00000002.713201934.000000000253B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: R2ERChVU88T7UYn.exe, 00000003.00000002.923639735.0000000003F59000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.926488934.00000000059D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.729286057.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.923639735.0000000003F59000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.921683370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.728221549.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.730926235.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.922814196.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.665841154.0000000003DF3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.714509974.0000000003ED4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: R2ERChVU88T7UYn.exe PID: 6900, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5008, type: MEMORY
        Source: Yara matchFile source: 10.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.R2ERChVU88T7UYn.exe.59d0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.R2ERChVU88T7UYn.exe.59d0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000003.00000002.926488934.00000000059D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.729286057.0000000002D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.923639735.0000000003F59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.921683370.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.921683370.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.728221549.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.728221549.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.730926235.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.665841154.0000000003DF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.665841154.0000000003DF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.714509974.0000000003ED4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.714509974.0000000003ED4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.926322876.0000000005620000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: R2ERChVU88T7UYn.exe PID: 6900, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: R2ERChVU88T7UYn.exe PID: 6900, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5008, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5008, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.R2ERChVU88T7UYn.exe.5620000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.R2ERChVU88T7UYn.exe.59d0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.R2ERChVU88T7UYn.exe.59d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023202EC NtQueryInformationProcess,0_2_023202EC
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023202E5 NtQueryInformationProcess,0_2_023202E5
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023283F1 NtQueryInformationProcess,0_2_023283F1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023602EC NtQueryInformationProcess,5_2_023602EC
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023602E5 NtQueryInformationProcess,5_2_023602E5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023683F1 NtQueryInformationProcess,5_2_023683F1
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023210480_2_02321048
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_0232F0880_2_0232F088
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023231300_2_02323130
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023221A00_2_023221A0
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023281E00_2_023281E0
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023217A10_2_023217A1
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023285420_2_02328542
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_02327EA00_2_02327EA0
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023253A80_2_023253A8
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023253980_2_02325398
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_0232301F0_2_0232301F
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023251700_2_02325170
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023251630_2_02325163
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023281D00_2_023281D0
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023256080_2_02325608
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023257F10_2_023257F1
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023204E80_2_023204E8
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023285640_2_02328564
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_023255F90_2_023255F9
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_02324AF00_2_02324AF0
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_02327AF70_2_02327AF7
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_02324B000_2_02324B00
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_02323F380_2_02323F38
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_02323F280_2_02323F28
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_02320FB20_2_02320FB2
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_02327C3B0_2_02327C3B
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_02321C690_2_02321C69
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_04A4CB200_2_04A4CB20
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_04A4F7B00_2_04A4F7B0
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_04A43FFC0_2_04A43FFC
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_04A423680_2_04A42368
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_04A4CB100_2_04A4CB10
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_04A4F79F0_2_04A4F79F
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_04A470A30_2_04A470A3
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_04A452300_2_04A45230
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 3_2_011EE4803_2_011EE480
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 3_2_011EBBD43_2_011EBBD4
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 3_2_064A00403_2_064A0040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023610485_2_02361048
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_0236F0885_2_0236F088
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023631305_2_02363130
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023621A05_2_023621A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023681E05_2_023681E0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023617A15_2_023617A1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023685425_2_02368542
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02367EA05_2_02367EA0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023653A85_2_023653A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023653985_2_02365398
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_0236301F5_2_0236301F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023610185_2_02361018
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023651705_2_02365170
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023651635_2_02365163
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023681D05_2_023681D0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023656085_2_02365608
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023657F15_2_023657F1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023604E85_2_023604E8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023685645_2_02368564
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_023655F95_2_023655F9
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02364AF05_2_02364AF0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02364B005_2_02364B00
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02363F385_2_02363F38
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02363F285_2_02363F28
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02361C695_2_02361C69
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_04CB64705_2_04CB6470
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_04CBCB205_2_04CBCB20
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_04CBF7B05_2_04CBF7B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_04CB3FFC5_2_04CB3FFC
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_04CB404D5_2_04CB404D
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_04CB23685_2_04CB2368
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_04CBCB105_2_04CBCB10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_04CB54885_2_04CB5488
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_04CB54815_2_04CB5481
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_04CBF79F5_2_04CBF79F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_04CB70A35_2_04CB70A3
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_084004285_2_08400428
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_084072A05_2_084072A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_084004185_2_08400418
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0527E47110_2_0527E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0527E48010_2_0527E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0527BBD410_2_0527BBD4
        Source: R2ERChVU88T7UYn.exeBinary or memory string: OriginalFilename vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000000.00000002.664607789.0000000000126000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamekK2j.exeX vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000000.00000002.670517137.0000000008270000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000000.00000002.671262425.0000000008BA0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000000.00000002.671262425.0000000008BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000000.00000002.665125185.000000000246C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000000.00000002.670868995.0000000008AA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exeBinary or memory string: OriginalFilename vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000003.00000000.663685857.0000000000AD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamekK2j.exeX vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000003.00000002.923639735.0000000003F59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000003.00000002.923639735.0000000003F59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000003.00000002.923639735.0000000003F59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000003.00000002.926849230.0000000006E70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000003.00000002.922266093.00000000011FA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000003.00000002.926551257.0000000006000000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exe, 00000003.00000002.926185443.00000000054E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs R2ERChVU88T7UYn.exe
        Source: R2ERChVU88T7UYn.exeBinary or memory string: OriginalFilenamekK2j.exeX vs R2ERChVU88T7UYn.exe
        Source: 00000003.00000002.926488934.00000000059D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.926488934.00000000059D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000A.00000002.729286057.0000000002D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.923639735.0000000003F59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.921683370.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.921683370.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.728221549.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.728221549.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.730926235.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.665841154.0000000003DF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.665841154.0000000003DF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.714509974.0000000003ED4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.714509974.0000000003ED4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.926322876.0000000005620000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.926322876.0000000005620000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: R2ERChVU88T7UYn.exe PID: 6900, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: R2ERChVU88T7UYn.exe PID: 6900, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5008, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5008, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.R2ERChVU88T7UYn.exe.5620000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.R2ERChVU88T7UYn.exe.5620000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.R2ERChVU88T7UYn.exe.59d0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.R2ERChVU88T7UYn.exe.59d0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.R2ERChVU88T7UYn.exe.59d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.R2ERChVU88T7UYn.exe.59d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: R2ERChVU88T7UYn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: jNwuhxdjagB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 10.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 10.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 10.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 10.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@12/9@3/2
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeFile created: C:\Users\user\AppData\Roaming\jNwuhxdjagB.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{acf00934-90d7-41af-9552-66eabfd39e9f}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\zrNbQavZzdvdo
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA9EB.tmpJump to behavior
        Source: R2ERChVU88T7UYn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: R2ERChVU88T7UYn.exeVirustotal: Detection: 33%
        Source: R2ERChVU88T7UYn.exeReversingLabs: Detection: 47%
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeFile read: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\R2ERChVU88T7UYn.exe 'C:\Users\user\Desktop\R2ERChVU88T7UYn.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jNwuhxdjagB' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9EB.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\R2ERChVU88T7UYn.exe C:\Users\user\Desktop\R2ERChVU88T7UYn.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jNwuhxdjagB' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD99.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jNwuhxdjagB' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9EB.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess created: C:\Users\user\Desktop\R2ERChVU88T7UYn.exe C:\Users\user\Desktop\R2ERChVU88T7UYn.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jNwuhxdjagB' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD99.tmp'Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: R2ERChVU88T7UYn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: R2ERChVU88T7UYn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeUnpacked PE file: 0.2.R2ERChVU88T7UYn.exe.90000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 5.2.dhcpmon.exe.80000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeUnpacked PE file: 0.2.R2ERChVU88T7UYn.exe.90000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 5.2.dhcpmon.exe.80000.0.unpack
        .NET source code contains potential unpackerShow sources
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_0010163C push es; retf 0_2_00101644
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 0_2_00102DBD push esi; retf 0_2_00102DC0
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 3_2_00B42DBD push esi; retf 3_2_00B42DC0
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeCode function: 3_2_00B4163C push es; retf 3_2_00B41644
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_000F163C push es; retf 5_2_000F1644
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_000F2DBD push esi; retf 5_2_000F2DC0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00962DBD push esi; retf 10_2_00962DC0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0096163C push es; retf 10_2_00961644
        Source: initial sampleStatic PE information: section name: .text entropy: 7.78388596667
        Source: initial sampleStatic PE information: section name: .text entropy: 7.78388596667
        Source: initial sampleStatic PE information: section name: .text entropy: 7.78388596667
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.2.R2ERChVU88T7UYn.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 10.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 10.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeFile created: C:\Users\user\AppData\Roaming\jNwuhxdjagB.exeJump to dropped file
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jNwuhxdjagB' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9EB.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeFile opened: C:\Users\user\Desktop\R2ERChVU88T7UYn.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\R2ERChVU88T7UYn.exeProcess information set: NOOPENFILEERRORBOX