Loading ...

Play interactive tourEdit tour

Analysis Report SMFPQm4vpC4IwA3.exe

Overview

General Information

Sample Name:SMFPQm4vpC4IwA3.exe
Analysis ID:299283
MD5:f46db579e5d619b198f616dad35955ac
SHA1:2dce49d9567b92ccb623bcbc9d5f6e4ca6aa23e6
SHA256:1ddce9c11a9b35eb6d55006504b47ab27bcef3edc7747c49d4573712a5a3b275
Tags:exe

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SMFPQm4vpC4IwA3.exe (PID: 5912 cmdline: 'C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exe' MD5: F46DB579E5D619B198F616DAD35955AC)
    • schtasks.exe (PID: 5900 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XJjPvpRFdwHSj' /XML 'C:\Users\user\AppData\Local\Temp\tmp5886.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • SMFPQm4vpC4IwA3.exe (PID: 5156 cmdline: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exe MD5: F46DB579E5D619B198F616DAD35955AC)
  • dhcpmon.exe (PID: 1004 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: F46DB579E5D619B198F616DAD35955AC)
    • schtasks.exe (PID: 5452 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XJjPvpRFdwHSj' /XML 'C:\Users\user\AppData\Local\Temp\tmpA1E4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 5664 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: F46DB579E5D619B198F616DAD35955AC)
    • dhcpmon.exe (PID: 2544 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: F46DB579E5D619B198F616DAD35955AC)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["194.5.97.32:1604", "185.140.53.68"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.503991622.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.503991622.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000003.00000002.503991622.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000006.00000002.292930845.0000000003479000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.249366682.000000000245B000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 31 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          14.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1018d:$x1: NanoCore.ClientPluginHost
          • 0x101ca:$x2: IClientNetworkHost
          • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          14.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xff05:$x1: NanoCore Client.exe
          • 0x1018d:$x2: NanoCore.ClientPluginHost
          • 0x117c6:$s1: PluginCommand
          • 0x117ba:$s2: FileCommand
          • 0x1266b:$s3: PipeExists
          • 0x18422:$s4: PipeCreated
          • 0x101b7:$s5: IClientLoggingHost
          Click to see the 11 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exe, ProcessId: 5156, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XJjPvpRFdwHSj' /XML 'C:\Users\user\AppData\Local\Temp\tmp5886.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XJjPvpRFdwHSj' /XML 'C:\Users\user\AppData\Local\Temp\tmp5886.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exe' , ParentImage: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exe, ParentProcessId: 5912, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XJjPvpRFdwHSj' /XML 'C:\Users\user\AppData\Local\Temp\tmp5886.tmp', ProcessId: 5900

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: SMFPQm4vpC4IwA3.exe.5156.3.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["194.5.97.32:1604", "185.140.53.68"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 30%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 50%
          Source: C:\Users\user\AppData\Roaming\XJjPvpRFdwHSj.exeVirustotal: Detection: 30%Perma Link
          Source: C:\Users\user\AppData\Roaming\XJjPvpRFdwHSj.exeReversingLabs: Detection: 50%
          Multi AV Scanner detection for submitted fileShow sources
          Source: SMFPQm4vpC4IwA3.exeVirustotal: Detection: 30%Perma Link
          Source: SMFPQm4vpC4IwA3.exeReversingLabs: Detection: 50%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000003.00000002.503991622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.293392960.0000000004429000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.506317464.0000000003411000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249517919.0000000003409000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.306921070.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.306996311.0000000003A49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.511755364.0000000005F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.305997072.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.509401873.0000000004419000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SMFPQm4vpC4IwA3.exe PID: 5156, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2544, type: MEMORY
          Source: Yara matchFile source: 3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\XJjPvpRFdwHSj.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: SMFPQm4vpC4IwA3.exeJoe Sandbox ML: detected
          Source: 14.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

          Networking:

          barindex
          Uses dynamic DNS servicesShow sources
          Source: unknownDNS query: name: mavennezeliora123.ddns.net
          Source: global trafficTCP traffic: 192.168.2.5:49700 -> 194.5.97.32:1604
          Source: global trafficTCP traffic: 192.168.2.5:49706 -> 185.140.53.68:1604
          Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
          Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.32
          Source: unknownDNS traffic detected: queries for: mavennezeliora123.ddns.net
          Source: SMFPQm4vpC4IwA3.exe, 00000000.00000002.249336454.0000000002401000.00000004.00000001.sdmp, dhcpmon.exe, 00000006.00000002.292835638.0000000003421000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: SMFPQm4vpC4IwA3.exe, 00000000.00000002.249133711.0000000000769000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: SMFPQm4vpC4IwA3.exe, 00000003.00000002.509401873.0000000004419000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000003.00000002.503991622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.293392960.0000000004429000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.506317464.0000000003411000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249517919.0000000003409000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.306921070.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.306996311.0000000003A49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.511755364.0000000005F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.305997072.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.509401873.0000000004419000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SMFPQm4vpC4IwA3.exe PID: 5156, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2544, type: MEMORY
          Source: Yara matchFile source: 3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.503991622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000003.00000002.503991622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000006.00000002.293392960.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000006.00000002.293392960.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.249517919.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.249517919.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.306921070.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.306996311.0000000003A49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000003.00000002.511755364.0000000005F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000003.00000002.511533215.0000000005B10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000E.00000002.305997072.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000E.00000002.305997072.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000003.00000002.509401873.0000000004419000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: SMFPQm4vpC4IwA3.exe PID: 5156, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: SMFPQm4vpC4IwA3.exe PID: 5156, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 2544, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 2544, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.2.SMFPQm4vpC4IwA3.exe.5b10000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 0_2_023DCB740_2_023DCB74
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 0_2_023DF4200_2_023DF420
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 0_2_023DF4100_2_023DF410
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 0_2_057258B80_2_057258B8
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 0_2_057200400_2_05720040
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 0_2_0572003C0_2_0572003C
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 0_2_057258A80_2_057258A8
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 3_2_019DE4803_2_019DE480
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 3_2_019DE4713_2_019DE471
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 3_2_019DBBD43_2_019DBBD4
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 3_2_059CF5F83_2_059CF5F8
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 3_2_059C97883_2_059C9788
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 3_2_059CA5D03_2_059CA5D0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_018ECB746_2_018ECB74
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_018EF4106_2_018EF410
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_018EF4206_2_018EF420
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_033E53F66_2_033E53F6
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_033E7E006_2_033E7E00
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_033E7DF16_2_033E7DF1
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_033E4C586_2_033E4C58
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_033E4C476_2_033E4C47
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_064358B86_2_064358B8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_064300406_2_06430040
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_064300066_2_06430006
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_064358A86_2_064358A8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00DFE48014_2_00DFE480
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00DFE47114_2_00DFE471
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00DFBBD414_2_00DFBBD4
          Source: SMFPQm4vpC4IwA3.exe, 00000000.00000002.249133711.0000000000769000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000000.00000000.238525686.000000000012E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQIwB.exe4 vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000000.00000002.249336454.0000000002401000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000000.00000002.249583713.0000000003522000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000000.00000002.250637976.0000000005F00000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000000.00000002.250637976.0000000005F00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000000.00000002.250530400.0000000005E00000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000003.00000002.504443563.0000000000FFE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQIwB.exe4 vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000003.00000002.511813728.00000000065E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000003.00000002.512038918.0000000006E40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000003.00000002.506317464.0000000003411000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000003.00000002.509401873.0000000004419000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exe, 00000003.00000002.509401873.0000000004419000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SMFPQm4vpC4IwA3.exe
          Source: SMFPQm4vpC4IwA3.exeBinary or memory string: OriginalFilenameQIwB.exe4 vs SMFPQm4vpC4IwA3.exe
          Source: 00000003.00000002.503991622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000003.00000002.503991622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000006.00000002.293392960.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000006.00000002.293392960.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.249517919.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.249517919.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.306921070.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.306996311.0000000003A49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000003.00000002.511755364.0000000005F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000003.00000002.511755364.0000000005F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.511533215.0000000005B10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000003.00000002.511533215.0000000005B10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000E.00000002.305997072.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000E.00000002.305997072.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000003.00000002.509401873.0000000004419000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: SMFPQm4vpC4IwA3.exe PID: 5156, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: SMFPQm4vpC4IwA3.exe PID: 5156, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 2544, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 2544, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 3.2.SMFPQm4vpC4IwA3.exe.5b10000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 3.2.SMFPQm4vpC4IwA3.exe.5b10000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 3.2.SMFPQm4vpC4IwA3.exe.5f80000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: SMFPQm4vpC4IwA3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: XJjPvpRFdwHSj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: SMFPQm4vpC4IwA3.exe, 00000000.00000003.248637695.0000000005420000.00000004.00000001.sdmpBinary or memory string: Pf?.vbp
          Source: classification engineClassification label: mal100.troj.evad.winEXE@14/9@6/2
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeFile created: C:\Users\user\AppData\Roaming\XJjPvpRFdwHSj.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{06c577b0-ad0c-4f9f-a38c-b108ef9847f8}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_01
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\XyHxcHvvCIufZgkZKVy
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5886.tmpJump to behavior
          Source: SMFPQm4vpC4IwA3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SMFPQm4vpC4IwA3.exeVirustotal: Detection: 30%
          Source: SMFPQm4vpC4IwA3.exeReversingLabs: Detection: 50%
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeFile read: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exe 'C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XJjPvpRFdwHSj' /XML 'C:\Users\user\AppData\Local\Temp\tmp5886.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exe C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exe
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XJjPvpRFdwHSj' /XML 'C:\Users\user\AppData\Local\Temp\tmpA1E4.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XJjPvpRFdwHSj' /XML 'C:\Users\user\AppData\Local\Temp\tmp5886.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess created: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exe C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XJjPvpRFdwHSj' /XML 'C:\Users\user\AppData\Local\Temp\tmpA1E4.tmp'Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SMFPQm4vpC4IwA3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SMFPQm4vpC4IwA3.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 0_2_00098B66 push es; ret 0_2_00098B8F
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 0_2_057244E0 pushad ; retf 0_2_057244E1
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 3_2_00F68B66 push es; ret 3_2_00F68B8F
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 3_2_059C69F8 pushad ; retf 3_2_059C69F9
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeCode function: 3_2_059C69FA push esp; retf 3_2_059C6A01
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_00DC8B66 push es; ret 6_2_00DC8B8F
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_018E8B90 pushad ; iretd 6_2_018E8B9D
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_033E89F7 push dword ptr [ebp-17000000h]; retn 002Fh6_2_033E89FD
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_064344E0 pushad ; retf 6_2_064344E1
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_06435071 push es; iretd 6_2_06435084
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_06434E09 push es; retf 6_2_06434E38
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_000B8B66 push es; ret 13_2_000B8B8F
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_005C8B66 push es; ret 14_2_005C8B8F
          Source: initial sampleStatic PE information: section name: .text entropy: 7.64127882986
          Source: initial sampleStatic PE information: section name: .text entropy: 7.64127882986
          Source: initial sampleStatic PE information: section name: .text entropy: 7.64127882986
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 3.2.SMFPQm4vpC4IwA3.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeFile created: C:\Users\user\AppData\Roaming\XJjPvpRFdwHSj.exeJump to dropped file
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XJjPvpRFdwHSj' /XML 'C:\Users\user\AppData\Local\Temp\tmp5886.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeFile opened: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SMFPQm4vpC4IwA3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desk