Loading ...

Play interactive tourEdit tour

Analysis Report PO456789.exe

Overview

General Information

Sample Name:PO456789.exe
Analysis ID:322271
MD5:6997fbda2b03ac3c34fec92ed6375e40
SHA1:4d16de6b50332cc05fca066125937c364dda961f
SHA256:6ed6aebe6d0b839ab5a5bebad7d58d72445146afa8ee9742f9b0e287f007b3c4

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Startup

  • System is w10x64
  • PO456789.exe (PID: 5916 cmdline: 'C:\Users\user\Desktop\PO456789.exe' MD5: 6997FBDA2B03AC3C34FEC92ED6375E40)
    • cmd.exe (PID: 4228 cmdline: 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\PO456789.exe' 'C:\Users\user\AppData\Local\fifyt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5988 cmdline: 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Local\fifyt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • fifyt.exe (PID: 6272 cmdline: C:\Users\user\AppData\Local\fifyt.exe MD5: 6997FBDA2B03AC3C34FEC92ED6375E40)
        • cmd.exe (PID: 4940 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 4780 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • InstallUtil.exe (PID: 6712 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
          • schtasks.exe (PID: 6716 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4E7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • schtasks.exe (PID: 6996 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC96C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 6732 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 6776 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • cmd.exe (PID: 6692 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 6968 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • cmd.exe (PID: 204 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 4228 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • cmd.exe (PID: 6112 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 2240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 5920 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • cmd.exe (PID: 7160 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 6896 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • cmd.exe (PID: 6988 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 6996 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • InstallUtil.exe (PID: 4812 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 0 MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • fifyt.exe (PID: 5048 cmdline: 'C:\Users\user\AppData\Local\fifyt.exe' MD5: 6997FBDA2B03AC3C34FEC92ED6375E40)
    • InstallUtil.exe (PID: 7016 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • dhcpmon.exe (PID: 6560 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.244.30.212"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000009.00000002.922011910.0000000005530000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000009.00000002.922011910.0000000005530000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 40 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    9.2.InstallUtil.exe.62c0000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    9.2.InstallUtil.exe.62c0000.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    9.2.InstallUtil.exe.62c0000.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      9.2.InstallUtil.exe.5530000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      9.2.InstallUtil.exe.5530000.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      Click to see the 11 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 6712, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4E7.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4E7.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 6712, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4E7.tmp', ProcessId: 6716

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: InstallUtil.exe.7016.32.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.244.30.212"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.918066264.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000020.00000002.720376999.0000000002891000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORY
      Source: Yara matchFile source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: 9.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.InstallUtil.exe.62c0000.4.unpackAvira: Label: TR/NanoCore.fadte
      Source: 32.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_02BFE2E8
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_02BFEDA8
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_02BFEDA8
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_02BFF0C8
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_02BFF0C8
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_02BFE8C4
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then xor edx, edx0_2_02BFEFF4
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_02BFED9C
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_02BFED9C
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_02BFF0BC
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_02BFF0BC
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then xor edx, edx0_2_02BFF000
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then mov ecx, dword ptr [03DEE69Ch]0_2_02BF7A18
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]0_2_02BF7A18
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h5_2_00B7E2E8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then push dword ptr [ebp-20h]5_2_00B7EDA8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh5_2_00B7EDA8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then push dword ptr [ebp-24h]5_2_00B7F0C8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh5_2_00B7F0C8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h5_2_00B7E8C4
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then push dword ptr [ebp-20h]5_2_00B7ED9C
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh5_2_00B7ED9C
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then xor edx, edx5_2_00B7EFF4
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then push dword ptr [ebp-24h]5_2_00B7F0BC
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh5_2_00B7F0BC
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then xor edx, edx5_2_00B7F000
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov ecx, dword ptr [0351E69Ch]5_2_00B77A18
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]5_2_00B77A18
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h26_2_02A4E2E8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then push dword ptr [ebp-24h]26_2_02A4F0C8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh26_2_02A4F0C8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then push dword ptr [ebp-20h]26_2_02A4EDA8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh26_2_02A4EDA8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then push dword ptr [ebp-24h]26_2_02A4F0BC
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh26_2_02A4F0BC
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then xor edx, edx26_2_02A4F000
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h26_2_02A4E8C4
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then xor edx, edx26_2_02A4EFF4
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then push dword ptr [ebp-20h]26_2_02A4ED9C
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh26_2_02A4ED9C

      Networking:

      barindex
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 185.244.30.212 ports 57689,5,6,7,8,9
      Source: global trafficTCP traffic: 105.112.96.12 ports 57689,5,6,7,8,9
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: smithcity123.ddns.net
      Source: global trafficTCP traffic: 192.168.2.4:49733 -> 105.112.96.12:57689
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 185.244.30.212:57689
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: Joe Sandbox ViewASN Name: VNL1-ASNG VNL1-ASNG
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.212
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.212
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.212
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.212
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.212
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.212
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.212
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.212
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.212
      Source: unknownDNS traffic detected: queries for: smithcity123.ddns.net
      Source: PO456789.exe, 00000000.00000002.665138139.00000000011AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: InstallUtil.exe, 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.918066264.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000020.00000002.720376999.0000000002891000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORY
      Source: Yara matchFile source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE

      Operating System Destruction:

      barindex
      Protects its processes via BreakOnTermination flagShow sources
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: 01 00 00 00 Jump to behavior

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.922011910.0000000005530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000020.00000002.720376999.0000000002891000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.InstallUtil.exe.5530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      .NET source code contains very large array initializationsShow sources
      Source: PO456789.exe, Lg6/u0032Kr.csLarge array initialization: 5q_: array initializer size 91136
      Source: 0.2.PO456789.exe.a10000.0.unpack, Lg6/u0032Kr.csLarge array initialization: 5q_: array initializer size 91136
      Source: 0.0.PO456789.exe.a10000.0.unpack, Lg6/u0032Kr.csLarge array initialization: 5q_: array initializer size 91136
      Source: fifyt.exe.1.dr, Lg6/u0032Kr.csLarge array initialization: 5q_: array initializer size 91136
      Source: 5.2.fifyt.exe.1c0000.0.unpack, Lg6/u0032Kr.csLarge array initialization: 5q_: array initializer size 91136
      Source: 5.0.fifyt.exe.1c0000.0.unpack, Lg6/u0032Kr.csLarge array initialization: 5q_: array initializer size 91136
      Source: 26.0.fifyt.exe.860000.0.unpack, Lg6/u0032Kr.csLarge array initialization: 5q_: array initializer size 91136
      Source: 26.2.fifyt.exe.860000.0.unpack, Lg6/u0032Kr.csLarge array initialization: 5q_: array initializer size 91136
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BF42B80_2_02BF42B8
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BF24980_2_02BF2498
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BF2F900_2_02BF2F90
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BF5D780_2_02BF5D78
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BF42A80_2_02BF42A8
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BF24930_2_02BF2493
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BFAB380_2_02BFAB38
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BF2F830_2_02BF2F83
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BF7A180_2_02BF7A18
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BFF8800_2_02BFF880
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BFF8700_2_02BFF870
      Source: C:\Users\user\Desktop\PO456789.exeCode function: 0_2_02BF5D680_2_02BF5D68
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B742B85_2_00B742B8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B724985_2_00B72498
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B72F905_2_00B72F90
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B75D785_2_00B75D78
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B742A85_2_00B742A8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B7248A5_2_00B7248A
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B7AB385_2_00B7AB38
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B72F825_2_00B72F82
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B7F8805_2_00B7F880
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B7F8705_2_00B7F870
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B77A185_2_00B77A18
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 5_2_00B75D685_2_00B75D68
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0501E4719_2_0501E471
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0501E4809_2_0501E480
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0501BBD49_2_0501BBD4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_067800409_2_06780040
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_010107C821_2_010107C8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 26_2_02A442A826_2_02A442A8
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 26_2_02A4248B26_2_02A4248B
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 26_2_02A42F8326_2_02A42F83
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 26_2_02A45D6826_2_02A45D68
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 26_2_02A4AB3826_2_02A4AB38
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 26_2_02A4F88026_2_02A4F880
      Source: C:\Users\user\AppData\Local\fifyt.exeCode function: 26_2_02A4F87026_2_02A4F870
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 27_2_002520B027_2_002520B0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 27_2_00BB07C827_2_00BB07C8
      Source: PO456789.exe, 00000000.00000002.670141096.0000000008E90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO456789.exe
      Source: PO456789.exe, 00000000.00000002.665138139.00000000011AA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO456789.exe
      Source: PO456789.exe, 00000000.00000002.670354069.0000000008F90000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO456789.exe
      Source: PO456789.exe, 00000000.00000002.670354069.0000000008F90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO456789.exe
      Source: PO456789.exe, 00000000.00000002.668951948.00000000054D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO456789.exe
      Source: PO456789.exe, 00000000.00000002.664827057.0000000000AA4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStub37.exe. vs PO456789.exe
      Source: PO456789.exe, 00000000.00000002.665964234.0000000003DF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDESdgdhser.dll0 vs PO456789.exe
      Source: PO456789.exeBinary or memory string: OriginalFilenameStub37.exe. vs PO456789.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.916744758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.922011910.0000000005530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.922011910.0000000005530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000020.00000002.721312091.0000000003899000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.667325612.00000000047CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.918936190.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000020.00000002.720376999.0000000002891000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.919007520.0000000003EFF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000020.00000002.719448069.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.922273053.00000000062C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.666493336.00000000046D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001A.00000002.918889108.0000000004521000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.918869911.0000000003E01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001A.00000002.919031483.000000000461F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: fifyt.exe PID: 5048, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: InstallUtil.exe PID: 7016, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: InstallUtil.exe PID: 6712, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.InstallUtil.exe.62c0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.InstallUtil.exe.5530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.InstallUtil.exe.5530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.InstallUtil.exe.62c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 32.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: fifyt.exe, 00000005.00000002.923643082.0000000008DB3000.00000004.00000001.sdmpBinary or memory string: ft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBp+' .
      Source: classification engineClassification label: mal100.troj.evad.winEXE@220/11@6/2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\PO456789.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO456789.exe.logJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2240:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{adbd9fab-b8d2-4b8b-b8ff-e45b2d6b4946}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC4E7.tmpJump to behavior
      Source: PO456789.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PO456789.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\fifyt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\fifyt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\PO456789.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\PO456789.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PO456789.exe 'C:\Users\user\Desktop\PO456789.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\PO456789.exe' 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\fifyt.exe C:\Users\user\AppData\Local\fifyt.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4E7.tmp'
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC96C.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\fifyt.exe 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'fiffyt' /t REG_SZ /d 'C:\Users\user\AppData\Local\fifyt.exe'
      Source: C:\Users\user\Desktop\PO456789.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\PO456789.exe' 'C:\Users\user\AppData\Local\fifyt.exe'Jump to behavior
      Source: C:\Users\user\Desktop\PO456789.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Local\fifyt.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\fifyt.exe C:\Users\user\AppData\Local\fifyt.exe