Loading ...

Play interactive tourEdit tour

Analysis Report DOC.exe

Overview

General Information

Sample Name:DOC.exe
Analysis ID:319643
MD5:6ad10f04afb24c96187b76129225c00c
SHA1:561fed791a4a4a10ec9889e3e30f0c4e0db80fd0
SHA256:c8d2f56a87705f11451e14e6ed7fe90a5b995b3e7f668811fb2f43a8f4325579
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DOC.exe (PID: 6600 cmdline: 'C:\Users\user\Desktop\DOC.exe' MD5: 6AD10F04AFB24C96187B76129225C00C)
    • schtasks.exe (PID: 6696 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DOC.exe (PID: 6752 cmdline: {path} MD5: 6AD10F04AFB24C96187B76129225C00C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xfbbfd:$x1: NanoCore.ClientPluginHost
    • 0xfbc3a:$x2: IClientNetworkHost
    • 0xff76d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfb965:$a: NanoCore
      • 0xfb975:$a: NanoCore
      • 0xfbba9:$a: NanoCore
      • 0xfbbbd:$a: NanoCore
      • 0xfbbfd:$a: NanoCore
      • 0xfb9c4:$b: ClientPlugin
      • 0xfbbc6:$b: ClientPlugin
      • 0xfbc06:$b: ClientPlugin
      • 0xfbaeb:$c: ProjectData
      • 0xfc4f2:$d: DESCrypto
      • 0x103ebe:$e: KeepAlive
      • 0x101eac:$g: LogClientMessage
      • 0xfe0a7:$i: get_Connected
      • 0xfc828:$j: #=q
      • 0xfc858:$j: #=q
      • 0xfc874:$j: #=q
      • 0xfc8a4:$j: #=q
      • 0xfc8c0:$j: #=q
      • 0xfc8dc:$j: #=q
      • 0xfc90c:$j: #=q
      • 0xfc928:$j: #=q
      00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x250b1d:$x1: NanoCore.ClientPluginHost
      • 0x250b5a:$x2: IClientNetworkHost
      • 0x25468d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 8 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DOC.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DOC.exe' , ParentImage: C:\Users\user\Desktop\DOC.exe, ParentProcessId: 6600, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp', ProcessId: 6696

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeReversingLabs: Detection: 18%
      Source: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeReversingLabs: Detection: 18%
      Multi AV Scanner detection for submitted fileShow sources
      Source: DOC.exeReversingLabs: Detection: 18%
      Source: DOC.exeReversingLabs: Detection: 18%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: DOC.exe PID: 6600, type: MEMORY
      Source: C:\Users\user\Desktop\DOC.exeCode function: 4x nop then jmp 05C45F32h0_2_05C451D5
      Source: C:\Users\user\Desktop\DOC.exeCode function: 4x nop then jmp 05C45F32h0_2_05C451D5

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49723 -> 23.105.131.162:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49723 -> 23.105.131.162:4040
      Source: global trafficTCP traffic: 192.168.2.7:49723 -> 23.105.131.162:4040
      Source: global trafficTCP traffic: 192.168.2.7:49723 -> 23.105.131.162:4040
      Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
      Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.242124625.000000000541D000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: DOC.exe, 00000000.00000003.242614903.000000000541A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: DOC.exe, 00000000.00000003.242614903.000000000541A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comizey
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: DOC.exe, 00000000.00000003.242274345.000000000542D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.Z
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFJ
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/f
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com0
      Source: DOC.exe, 00000000.00000003.244081653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: DOC.exe, 00000000.00000002.257330031.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFm.
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
      Source: DOC.exe, 00000000.00000003.245481149.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgretaJ
      Source: DOC.exe, 00000000.00000002.257330031.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita9
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicdS
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefx
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: DOC.exe, 00000000.00000003.241955458.000000000542D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: DOC.exe, 00000000.00000003.244700687.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: DOC.exe, 00000000.00000003.244700687.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/A
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Conn
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
      Source: DOC.exe, 00000000.00000003.243289341.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Regux
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Webd
      Source: DOC.exe, 00000000.00000003.243289341.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0so
      Source: DOC.exe, 00000000.00000003.242822237.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/anie
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/0
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: DOC.exe, 00000000.00000003.240828716.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comeuG
      Source: DOC.exe, 00000000.00000003.240828716.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comte?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: DOC.exe, 00000000.00000003.242216750.000000000542C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.242124625.000000000541D000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: DOC.exe, 00000000.00000003.242614903.000000000541A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: DOC.exe, 00000000.00000003.242614903.000000000541A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comizey
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: DOC.exe, 00000000.00000003.242274345.000000000542D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.Z
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFJ
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/f
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com0
      Source: DOC.exe, 00000000.00000003.244081653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: DOC.exe, 00000000.00000002.257330031.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFm.
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
      Source: DOC.exe, 00000000.00000003.245481149.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgretaJ
      Source: DOC.exe, 00000000.00000002.257330031.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita9
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicdS
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefx
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: DOC.exe, 00000000.00000003.241955458.000000000542D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: DOC.exe, 00000000.00000003.244700687.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: DOC.exe, 00000000.00000003.244700687.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/A
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Conn
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
      Source: DOC.exe, 00000000.00000003.243289341.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Regux
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Webd
      Source: DOC.exe, 00000000.00000003.243289341.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0so
      Source: DOC.exe, 00000000.00000003.242822237.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/anie
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/0
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: DOC.exe, 00000000.00000003.240828716.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comeuG
      Source: DOC.exe, 00000000.00000003.240828716.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comte?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: DOC.exe, 00000000.00000003.242216750.000000000542C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: DOC.exe PID: 6600, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: DOC.exe PID: 6752, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: DOC.exe PID: 6752, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD1756 NtQuerySystemInformation,0_2_05BD1756
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD1725 NtQuerySystemInformation,0_2_05BD1725
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD1756 NtQuerySystemInformation,0_2_05BD1756
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD1725 NtQuerySystemInformation,0_2_05BD1725
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051613290_2_05161329
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05160B800_2_05160B80
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516E7C00_2_0516E7C0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051689E80_2_051689E8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05161C480_2_05161C48
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051600980_2_05160098
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168C800_2_05168C80
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05162AF00_2_05162AF0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051683180_2_05168318
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051617310_2_05161731
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05160B390_2_05160B39
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051683280_2_05168328
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051617800_2_05161780
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516A1A80_2_0516A1A8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051649D00_2_051649D0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05164BDA0_2_05164BDA
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051689D90_2_051689D9
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051649C20_2_051649C2
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051629F80_2_051629F8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05164BE80_2_05164BE8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168E110_2_05168E11
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051638180_2_05163818
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051638080_2_05163808
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051648310_2_05164831
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051648400_2_05164840
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168C700_2_05168C70
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516947A0_2_0516947A
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051694880_2_05169488
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C451D50_2_05C451D5
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C43B830_2_05C43B83
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C43FE70_2_05C43FE7
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051613290_2_05161329
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05160B800_2_05160B80
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516E7C00_2_0516E7C0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051689E80_2_051689E8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05161C480_2_05161C48
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051600980_2_05160098
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168C800_2_05168C80
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05162AF00_2_05162AF0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051683180_2_05168318
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051617310_2_05161731
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05160B390_2_05160B39
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051683280_2_05168328
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051617800_2_05161780
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516A1A80_2_0516A1A8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051649D00_2_051649D0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05164BDA0_2_05164BDA
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051689D90_2_051689D9
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051649C20_2_051649C2
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051629F80_2_051629F8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05164BE80_2_05164BE8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168E110_2_05168E11
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051638180_2_05163818
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051638080_2_05163808
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051648310_2_05164831
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051648400_2_05164840
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168C700_2_05168C70
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516947A0_2_0516947A
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051694880_2_05169488
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C451D50_2_05C451D5
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C43B830_2_05C43B83
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C43FE70_2_05C43FE7
      Source: DOC.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: CZOIAvjovs.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: DOC.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: CZOIAvjovs.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs DOC.exe
      Source: DOC.exe, 00000000.00000002.257133468.0000000005380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DOC.exe
      Source: DOC.exe, 00000000.00000002.258925636.00000000061B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs DOC.exe
      Source: DOC.exe, 00000000.00000000.239695576.00000000009A0000.00000002.00020000.sdmpBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: DOC.exe, 00000000.00000002.259026086.00000000061E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DOC.exe
      Source: DOC.exe, 00000000.00000002.259026086.00000000061E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DOC.exe
      Source: DOC.exe, 00000000.00000002.260831523.00000000076B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DOC.exe
      Source: DOC.exe, 00000003.00000000.251653756.0000000000C00000.00000002.00020000.sdmpBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs DOC.exe
      Source: DOC.exeBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs DOC.exe
      Source: DOC.exe, 00000000.00000002.257133468.0000000005380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DOC.exe
      Source: DOC.exe, 00000000.00000002.258925636.00000000061B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs DOC.exe
      Source: DOC.exe, 00000000.00000000.239695576.00000000009A0000.00000002.00020000.sdmpBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: DOC.exe, 00000000.00000002.259026086.00000000061E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DOC.exe
      Source: DOC.exe, 00000000.00000002.259026086.00000000061E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DOC.exe
      Source: DOC.exe, 00000000.00000002.260831523.00000000076B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DOC.exe
      Source: DOC.exe, 00000003.00000000.251653756.0000000000C00000.00000002.00020000.sdmpBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs DOC.exe
      Source: DOC.exeBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: DOC.exe PID: 6752, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: DOC.exe PID: 6752, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/7@0/1
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD15DA AdjustTokenPrivileges,0_2_05BD15DA
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD15A3 AdjustTokenPrivileges,0_2_05BD15A3
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD15DA AdjustTokenPrivileges,0_2_05BD15DA
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD15A3 AdjustTokenPrivileges,0_2_05BD15A3
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{dcac4b5d-9a8e-4643-8c5a-3d27f5de9c1d}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\JwXsFUTyQgmRAdZVtlXuPjQ
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{dcac4b5d-9a8e-4643-8c5a-3d27f5de9c1d}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\JwXsFUTyQgmRAdZVtlXuPjQ
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3870.tmpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3870.tmpJump to behavior
      Source: DOC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: DOC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: DOC.exeReversingLabs: Detection: 18%
      Source: DOC.exeReversingLabs: Detection: 18%
      Source: DOC.exeString found in binary or memory: icons8-Add-16
      Source: DOC.exeString found in binary or memory: icons8-Add-16UW
      Source: DOC.exeString found in binary or memory: icons8-Add-16
      Source: DOC.exeString found in binary or memory: icons8-Add-16UW
      Source: C:\Users\user\Desktop\DOC.exeFile read: C:\Users\user\Desktop\DOC.exeJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile read: C:\Users\user\Desktop\DOC.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\DOC.exe 'C:\Users\user\Desktop\DOC.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\DOC.exe {path}
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Users\user\Desktop\DOC.exe {path}Jump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\DOC.exe 'C:\Users\user\Desktop\DOC.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\DOC.exe {path}
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Users\user\Desktop\DOC.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: DOC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: DOC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: DOC.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: DOC.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: DOC.exeStatic file information: File size 1119744 > 1048576
      Source: DOC.exeStatic file information: File size 1119744 > 1048576
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: DOC.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10d000
      Source: DOC.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10d000
      Source: DOC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: DOC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: DOC.exe, 00000000.00000002.257133468.0000000005380000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: DOC.exe, 00000000.00000002.257133468.0000000005380000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_00892092 push eax; ret 0_2_00892091
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0089270D push 00000019h; ret 0_2_0089278C
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0089272E push 00000019h; ret 0_2_0089278C
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_00892050 push eax; ret 0_2_00892091
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05167053 push ss; ret 0_2_05167059
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_00892092 push eax; ret 0_2_00892091
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0089270D push 00000019h; ret 0_2_0089278C
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0089272E push 00000019h; ret 0_2_0089278C
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_00892050 push eax; ret 0_2_00892091
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05167053 push ss; ret 0_2_05167059
      Source: initial sampleStatic PE information: section name: .text entropy: 7.38686348526
      Source: initial sampleStatic PE information: section name: .text entropy: 7.38686348526
      Source: initial sampleStatic PE information: section name: .text entropy: 7.38686348526
      Source: initial sampleStatic PE information: section name: .text entropy: 7.38686348526
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeJump to dropped file
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Users\user\Desktop\DOC.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Users\user\Desktop\DOC.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOX