Analysis Report PO456789.exe

Overview

General Information

Sample Name: PO456789.exe
Analysis ID: 322271
MD5: 6997fbda2b03ac3c34fec92ed6375e40
SHA1: 4d16de6b50332cc05fca066125937c364dda961f
SHA256: 6ed6aebe6d0b839ab5a5bebad7d58d72445146afa8ee9742f9b0e287f007b3c4

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: InstallUtil.exe.7016.32.memstr Malware Configuration Extractor: NanoCore {"C2: ": ["185.244.30.212"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Yara detected Nanocore RAT
Source: Yara match File source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.918066264.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.720376999.0000000002891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORY
Source: Yara match File source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 9.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.2.InstallUtil.exe.62c0000.4.unpack Avira: Label: TR/NanoCore.fadte
Source: 32.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02BFE2E8
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_02BFEDA8
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02BFEDA8
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_02BFF0C8
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02BFF0C8
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02BFE8C4
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then xor edx, edx 0_2_02BFEFF4
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_02BFED9C
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02BFED9C
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_02BFF0BC
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02BFF0BC
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then xor edx, edx 0_2_02BFF000
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then mov ecx, dword ptr [03DEE69Ch] 0_2_02BF7A18
Source: C:\Users\user\Desktop\PO456789.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 0_2_02BF7A18
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 5_2_00B7E2E8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then push dword ptr [ebp-20h] 5_2_00B7EDA8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 5_2_00B7EDA8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then push dword ptr [ebp-24h] 5_2_00B7F0C8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 5_2_00B7F0C8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 5_2_00B7E8C4
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then push dword ptr [ebp-20h] 5_2_00B7ED9C
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 5_2_00B7ED9C
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then xor edx, edx 5_2_00B7EFF4
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then push dword ptr [ebp-24h] 5_2_00B7F0BC
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 5_2_00B7F0BC
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then xor edx, edx 5_2_00B7F000
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov ecx, dword ptr [0351E69Ch] 5_2_00B77A18
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 5_2_00B77A18
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 26_2_02A4E2E8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then push dword ptr [ebp-24h] 26_2_02A4F0C8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 26_2_02A4F0C8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then push dword ptr [ebp-20h] 26_2_02A4EDA8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 26_2_02A4EDA8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then push dword ptr [ebp-24h] 26_2_02A4F0BC
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 26_2_02A4F0BC
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then xor edx, edx 26_2_02A4F000
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 26_2_02A4E8C4
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then xor edx, edx 26_2_02A4EFF4
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then push dword ptr [ebp-20h] 26_2_02A4ED9C
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 26_2_02A4ED9C

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 185.244.30.212 ports 57689,5,6,7,8,9
Source: global traffic TCP traffic: 105.112.96.12 ports 57689,5,6,7,8,9
Uses dynamic DNS services
Source: unknown DNS query: name: smithcity123.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 105.112.96.12:57689
Source: global traffic TCP traffic: 192.168.2.4:49765 -> 185.244.30.212:57689
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Source: Joe Sandbox View ASN Name: VNL1-ASNG VNL1-ASNG
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.30.212
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.30.212
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.30.212
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.30.212
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.30.212
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.30.212
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.30.212
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.30.212
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.30.212
Source: unknown DNS traffic detected: queries for: smithcity123.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: PO456789.exe, 00000000.00000002.665138139.00000000011AA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: InstallUtil.exe, 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.918066264.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.720376999.0000000002891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORY
Source: Yara match File source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE

Operating System Destruction:

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: 01 00 00 00 Jump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.922011910.0000000005530000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.720376999.0000000002891000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.InstallUtil.exe.5530000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large array initializations
Source: PO456789.exe, Lg6/u0032Kr.cs Large array initialization: 5q_: array initializer size 91136
Source: 0.2.PO456789.exe.a10000.0.unpack, Lg6/u0032Kr.cs Large array initialization: 5q_: array initializer size 91136
Source: 0.0.PO456789.exe.a10000.0.unpack, Lg6/u0032Kr.cs Large array initialization: 5q_: array initializer size 91136
Source: fifyt.exe.1.dr, Lg6/u0032Kr.cs Large array initialization: 5q_: array initializer size 91136
Source: 5.2.fifyt.exe.1c0000.0.unpack, Lg6/u0032Kr.cs Large array initialization: 5q_: array initializer size 91136
Source: 5.0.fifyt.exe.1c0000.0.unpack, Lg6/u0032Kr.cs Large array initialization: 5q_: array initializer size 91136
Source: 26.0.fifyt.exe.860000.0.unpack, Lg6/u0032Kr.cs Large array initialization: 5q_: array initializer size 91136
Source: 26.2.fifyt.exe.860000.0.unpack, Lg6/u0032Kr.cs Large array initialization: 5q_: array initializer size 91136
Detected potential crypto function
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BF42B8 0_2_02BF42B8
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BF2498 0_2_02BF2498
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BF2F90 0_2_02BF2F90
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BF5D78 0_2_02BF5D78
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BF42A8 0_2_02BF42A8
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BF2493 0_2_02BF2493
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BFAB38 0_2_02BFAB38
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BF2F83 0_2_02BF2F83
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BF7A18 0_2_02BF7A18
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BFF880 0_2_02BFF880
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BFF870 0_2_02BFF870
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_02BF5D68 0_2_02BF5D68
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B742B8 5_2_00B742B8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B72498 5_2_00B72498
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B72F90 5_2_00B72F90
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B75D78 5_2_00B75D78
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B742A8 5_2_00B742A8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B7248A 5_2_00B7248A
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B7AB38 5_2_00B7AB38
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B72F82 5_2_00B72F82
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B7F880 5_2_00B7F880
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B7F870 5_2_00B7F870
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B77A18 5_2_00B77A18
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_00B75D68 5_2_00B75D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0501E471 9_2_0501E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0501E480 9_2_0501E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0501BBD4 9_2_0501BBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_06780040 9_2_06780040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_010107C8 21_2_010107C8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 26_2_02A442A8 26_2_02A442A8
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 26_2_02A4248B 26_2_02A4248B
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 26_2_02A42F83 26_2_02A42F83
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 26_2_02A45D68 26_2_02A45D68
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 26_2_02A4AB38 26_2_02A4AB38
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 26_2_02A4F880 26_2_02A4F880
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 26_2_02A4F870 26_2_02A4F870
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 27_2_002520B0 27_2_002520B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 27_2_00BB07C8 27_2_00BB07C8
Sample file is different than original file name gathered from version info
Source: PO456789.exe, 00000000.00000002.670141096.0000000008E90000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PO456789.exe
Source: PO456789.exe, 00000000.00000002.665138139.00000000011AA000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO456789.exe
Source: PO456789.exe, 00000000.00000002.670354069.0000000008F90000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PO456789.exe
Source: PO456789.exe, 00000000.00000002.670354069.0000000008F90000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO456789.exe
Source: PO456789.exe, 00000000.00000002.668951948.00000000054D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PO456789.exe
Source: PO456789.exe, 00000000.00000002.664827057.0000000000AA4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStub37.exe. vs PO456789.exe
Source: PO456789.exe, 00000000.00000002.665964234.0000000003DF1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDESdgdhser.dll0 vs PO456789.exe
Source: PO456789.exe Binary or memory string: OriginalFilenameStub37.exe. vs PO456789.exe
Uses reg.exe to modify the Windows registry
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Yara signature match
Source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.922011910.0000000005530000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.922011910.0000000005530000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000020.00000002.720376999.0000000002891000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.InstallUtil.exe.5530000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.5530000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: fifyt.exe, 00000005.00000002.923643082.0000000008DB3000.00000004.00000001.sdmp Binary or memory string: ft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBp+' .
Source: classification engine Classification label: mal100.troj.evad.winEXE@220/11@6/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO456789.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2240:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{adbd9fab-b8d2-4b8b-b8ff-e45b2d6b4946}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Temp\tmpC4E7.tmp Jump to behavior
Source: PO456789.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO456789.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\fifyt.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\PO456789.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO456789.exe 'C:\Users\user\Desktop\PO456789.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\PO456789.exe' 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\fifyt.exe C:\Users\user\AppData\Local\fifyt.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4E7.tmp'
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC96C.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 0
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\fifyt.exe 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: C:\Users\user\Desktop\PO456789.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\PO456789.exe' 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\fifyt.exe C:\Users\user\AppData\Local\fifyt.exe Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 0 Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4E7.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC96C.tmp' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: C:\Users\user\Desktop\PO456789.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO456789.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO456789.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO456789.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: dhcpmon.exe, 0000001B.00000002.697779760.0000000000252000.00000002.00020000.sdmp, dhcpmon.exe.9.dr
Source: Binary string: InstallUtil.pdb source: dhcpmon.exe, dhcpmon.exe.9.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_00A123E2 push edx; iretd 0_2_00A123E5
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_00A123C9 pushfd ; iretd 0_2_00A123CA
Source: C:\Users\user\Desktop\PO456789.exe Code function: 0_2_00A1249D push 75C6687Ch; iretd 0_2_00A124A2
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_001C249D push 75C6687Ch; iretd 5_2_001C24A2
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_001C23C9 pushfd ; iretd 5_2_001C23CA
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 5_2_001C23E2 push edx; iretd 5_2_001C23E5
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 26_2_008623C9 pushfd ; iretd 26_2_008623CA
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 26_2_0086249D push 75C6687Ch; iretd 26_2_008624A2
Source: C:\Users\user\AppData\Local\fifyt.exe Code function: 26_2_008623E2 push edx; iretd 26_2_008623E5
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\fifyt.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4E7.tmp'
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run fiffyt Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run fiffyt Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PO456789.exe File opened: C:\Users\user\Desktop\PO456789.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe File opened: C:\Users\user\AppData\Local\fifyt.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe File opened: C:\Users\user\AppData\Local\fifyt.exe:Zone.Identifier read attributes | delete
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\fifyt.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\fifyt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PO456789.exe, 00000000.00000002.665964234.0000000003DF1000.00000004.00000001.sdmp, fifyt.exe, 00000005.00000002.918713126.0000000003521000.00000004.00000001.sdmp, fifyt.exe, 0000001A.00000002.918721922.0000000003C41000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL!:ZONE.IDENTIFIER
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\fifyt.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO456789.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 5700 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 3741 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: foregroundWindowGot 790 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO456789.exe TID: 5688 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe TID: 5744 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe TID: 5744 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5992 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5708 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\fifyt.exe TID: 940 Thread sleep count: 66 > 30
Source: C:\Users\user\AppData\Local\fifyt.exe TID: 940 Thread sleep time: -66000s >= -30000s
Source: C:\Users\user\AppData\Local\fifyt.exe TID: 7024 Thread sleep count: 61 > 30
Source: C:\Users\user\AppData\Local\fifyt.exe TID: 7024 Thread sleep time: -30500s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5660 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6812 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\fifyt.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\fifyt.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\fifyt.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\fifyt.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: reg.exe, 00000008.00000002.674973226.0000000003180000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.922641670.0000000006DF0000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.680010703.0000000000F90000.00000002.00000001.sdmp, reg.exe, 00000010.00000002.686514488.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000015.00000002.694682303.00000000051F0000.00000002.00000001.sdmp, reg.exe, 00000019.00000002.694835125.00000000034C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.698928388.0000000004B70000.00000002.00000001.sdmp, reg.exe, 0000001F.00000002.701484733.00000000035A0000.00000002.00000001.sdmp, reg.exe, 00000024.00000002.707263552.00000000036B0000.00000002.00000001.sdmp, reg.exe, 00000027.00000002.712079491.0000000003910000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: InstallUtil.exe, 00000009.00000002.922353103.0000000006540000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: PO456789.exe, 00000000.00000002.665964234.0000000003DF1000.00000004.00000001.sdmp, fifyt.exe, 00000005.00000002.918713126.0000000003521000.00000004.00000001.sdmp, fifyt.exe, 0000001A.00000002.918721922.0000000003C41000.00000004.00000001.sdmp Binary or memory string: VirtualMachineDetector
Source: reg.exe, 00000008.00000002.674973226.0000000003180000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.922641670.0000000006DF0000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.680010703.0000000000F90000.00000002.00000001.sdmp, reg.exe, 00000010.00000002.686514488.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000015.00000002.694682303.00000000051F0000.00000002.00000001.sdmp, reg.exe, 00000019.00000002.694835125.00000000034C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.698928388.0000000004B70000.00000002.00000001.sdmp, reg.exe, 0000001F.00000002.701484733.00000000035A0000.00000002.00000001.sdmp, reg.exe, 00000024.00000002.707263552.00000000036B0000.00000002.00000001.sdmp, reg.exe, 00000027.00000002.712079491.0000000003910000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 00000008.00000002.674973226.0000000003180000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.922641670.0000000006DF0000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.680010703.0000000000F90000.00000002.00000001.sdmp, reg.exe, 00000010.00000002.686514488.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000015.00000002.694682303.00000000051F0000.00000002.00000001.sdmp, reg.exe, 00000019.00000002.694835125.00000000034C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.698928388.0000000004B70000.00000002.00000001.sdmp, reg.exe, 0000001F.00000002.701484733.00000000035A0000.00000002.00000001.sdmp, reg.exe, 00000024.00000002.707263552.00000000036B0000.00000002.00000001.sdmp, reg.exe, 00000027.00000002.712079491.0000000003910000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: reg.exe, 00000008.00000002.674973226.0000000003180000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.922641670.0000000006DF0000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.680010703.0000000000F90000.00000002.00000001.sdmp, reg.exe, 00000010.00000002.686514488.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000015.00000002.694682303.00000000051F0000.00000002.00000001.sdmp, reg.exe, 00000019.00000002.694835125.00000000034C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.698928388.0000000004B70000.00000002.00000001.sdmp, reg.exe, 0000001F.00000002.701484733.00000000035A0000.00000002.00000001.sdmp, reg.exe, 00000024.00000002.707263552.00000000036B0000.00000002.00000001.sdmp, reg.exe, 00000027.00000002.712079491.0000000003910000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\AppData\Local\fifyt.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\PO456789.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\PO456789.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO456789.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\PO456789.exe' 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\fifyt.exe C:\Users\user\AppData\Local\fifyt.exe Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 0 Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4E7.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC96C.tmp' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\fifyt.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
Source: fifyt.exe, 00000005.00000002.917999799.0000000000F40000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.918861771.0000000003085000.00000004.00000001.sdmp, fifyt.exe, 0000001A.00000002.917572256.0000000001580000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: fifyt.exe, 00000005.00000002.917999799.0000000000F40000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.917765494.00000000014E0000.00000002.00000001.sdmp, fifyt.exe, 0000001A.00000002.917572256.0000000001580000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: fifyt.exe, 00000005.00000002.917999799.0000000000F40000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.917765494.00000000014E0000.00000002.00000001.sdmp, fifyt.exe, 0000001A.00000002.917572256.0000000001580000.00000002.00000001.sdmp Binary or memory string: Progman
Source: fifyt.exe, 00000005.00000002.917999799.0000000000F40000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.917765494.00000000014E0000.00000002.00000001.sdmp, fifyt.exe, 0000001A.00000002.917572256.0000000001580000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO456789.exe Queries volume information: C:\Users\user\Desktop\PO456789.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO456789.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Queries volume information: C:\Users\user\AppData\Local\fifyt.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\fifyt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Users\user\AppData\Local\fifyt.exe Queries volume information: C:\Users\user\AppData\Local\fifyt.exe VolumeInformation
Source: C:\Users\user\AppData\Local\fifyt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\fifyt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\fifyt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\fifyt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\PO456789.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.918066264.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.720376999.0000000002891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORY
Source: Yara match File source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: PO456789.exe, 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: fifyt.exe, 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000009.00000002.918066264.0000000002AF1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000009.00000002.918066264.0000000002AF1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: fifyt.exe, 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.918066264.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.720376999.0000000002891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORY
Source: Yara match File source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322271 Sample: PO456789.exe Startdate: 24/11/2020 Architecture: WINDOWS Score: 100 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Sigma detected: Scheduled temp file as task from temp location 2->86 88 9 other signatures 2->88 10 PO456789.exe 2 2->10         started        13 fifyt.exe 2->13         started        15 InstallUtil.exe 2->15         started        17 dhcpmon.exe 2->17         started        process3 signatures4 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->96 19 cmd.exe 1 10->19         started        21 cmd.exe 2 10->21         started        24 InstallUtil.exe 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        process5 file6 30 fifyt.exe 1 19->30         started        33 conhost.exe 19->33         started        70 C:\Users\user\AppData\Local\fifyt.exe, PE32 21->70 dropped 35 conhost.exe 21->35         started        process7 signatures8 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->98 37 InstallUtil.exe 1 11 30->37         started        42 cmd.exe 1 30->42         started        44 cmd.exe 1 30->44         started        46 5 other processes 30->46 process9 dnsIp10 78 smithcity123.ddns.net 105.112.96.12, 57689 VNL1-ASNG Nigeria 37->78 80 185.244.30.212, 49765, 49766, 49767 DAVID_CRAIGGG Netherlands 37->80 72 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 37->72 dropped 74 C:\Users\user\AppData\Local\...\tmpC4E7.tmp, XML 37->74 dropped 76 C:\Program Files (x86)\...\dhcpmon.exe, PE32 37->76 dropped 90 Protects its processes via BreakOnTermination flag 37->90 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->92 48 schtasks.exe 37->48         started        50 schtasks.exe 37->50         started        94 Uses cmd line tools excessively to alter registry or file data 42->94 52 conhost.exe 42->52         started        54 reg.exe 1 1 42->54         started        56 conhost.exe 44->56         started        58 reg.exe 1 44->58         started        60 conhost.exe 46->60         started        62 reg.exe 46->62         started        64 8 other processes 46->64 file11 signatures12 process13 process14 66 conhost.exe 48->66         started        68 conhost.exe 50->68         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.244.30.212
unknown Netherlands
209623 DAVID_CRAIGGG true
105.112.96.12
unknown Nigeria
36873 VNL1-ASNG true

Contacted Domains

Name IP Active
smithcity123.ddns.net 105.112.96.12 true