Analysis Report Doc.exe

Overview

General Information

Sample Name:	Doc.exe
Analysis ID:	341408
MD5:	c853495818db3fddf333ce3eaf5e6cc3
SHA1:	51dfa28d2bf0af44de903fa80e4458110155f34b
SHA256:	799087f4f62932dbe6405946e5fc9215c9df899909c15f0c1d876ec28e9436b0
Tags:	exeNanoCoreRATYahoo
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Protects its processes via BreakOnTermination flag

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: Doc.exe.6524.22.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["172.111.249.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for domain / URL

Source: innocentbooii.hopto.org

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\dEkaSoUjP.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: Doc.exe	Virustotal: Detection: 33%			Perma Link
Source: Doc.exe	ReversingLabs: Detection: 39%

Yara detected Nanocore RAT

Source: Yara match	File source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
Source: Yara match	File source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\dEkaSoUjP.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Doc.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.Doc.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 28.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 22.2.Doc.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: Doc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\Doc.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Doc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Doc.exe, 00000006.00000002.601742047.0000000003125000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: Doc.exe, 00000000.00000002.284135859.0000000009260000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.335976902.0000000006E20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.329884797.0000000005770000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357185868.00000000078A0000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Doc.exe

Code function: 4x nop then mov esp, ebp

6_2_030B8930

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 172.111.249.15

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49714 -> 154.120.95.234:55420

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU
Source: Joe Sandbox View	ASN Name: SpectranetNG SpectranetNG

Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15

Source: unknown

DNS traffic detected: queries for: innocentbooii.hopto.org

Source: Doc.exe, 00000000.00000003.245606571.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/CSMDataSet.xsd
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Doc.exe, 00000000.00000003.245285187.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com7
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com_
Source: Doc.exe, 00000000.00000003.245285187.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.come
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comei
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coms
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comy
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Doc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTFe
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: Doc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitud
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoA
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitul
Source: Doc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrz
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Doc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmp, Doc.exe, 00000000.00000003.244042748.00000000080E0000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Doc.exe, 00000000.00000003.244057616.00000000080E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn&
Source: Doc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Doc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnX
Source: Doc.exe, 00000000.00000003.251014283.00000000080E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 00000000.00000003.251014283.00000000080E6000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Doc.exe, 00000000.00000003.246980374.00000000080DB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/0
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6
Source: Doc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: Doc.exe, 00000000.00000003.246301474.00000000080D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ldZ
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/i-f
Source: Doc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Doc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/6
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/S
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/l
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/k-s
Source: Doc.exe, 00000000.00000003.246461974.00000000080D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/l
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/w
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Doc.exe, 00000000.00000003.245099691.00000000080E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn_
Source: Doc.exe, 00000000.00000003.245099691.00000000080E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cne
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnk

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Doc.exe, 00000000.00000002.273691048.000000000174A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
Source: Yara match	File source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE

Operating System Destruction:

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\Doc.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

PE file contains section with special chars

Source: Doc.exe	Static PE information: section name: 2)-Lp$
Source: dEkaSoUjP.exe.0.dr	Static PE information: section name: 2)-Lp$
Source: dhcpmon.exe.6.dr	Static PE information: section name: 2)-Lp$

PE file has nameless sections

Source: Doc.exe	Static PE information: section name:
Source: dEkaSoUjP.exe.0.dr	Static PE information: section name:
Source: dhcpmon.exe.6.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016CABEE NtQuerySystemInformation,	0_2_016CABEE
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016CABB3 NtQuerySystemInformation,	0_2_016CABB3
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_03111836 NtQuerySystemInformation,	6_2_03111836
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_03111572 NtSetInformationProcess,	6_2_03111572
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_03111541 NtSetInformationProcess,	6_2_03111541
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_031117FB NtQuerySystemInformation,	6_2_031117FB
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_0170ABEE NtQuerySystemInformation,	13_2_0170ABEE
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_0170ABB3 NtQuerySystemInformation,	13_2_0170ABB3
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F0ABEE NtQuerySystemInformation,	15_2_00F0ABEE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F0ABB3 NtQuerySystemInformation,	15_2_00F0ABB3

Detected potential crypto function

Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E2594	0_2_019E2594
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E1D90	0_2_019E1D90
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E3D80	0_2_019E3D80
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E11B1	0_2_019E11B1
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019EFD28	0_2_019EFD28
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E6031	0_2_019E6031
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E907F	0_2_019E907F
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E2F18	0_2_019E2F18
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E010C	0_2_019E010C
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E3C8F	0_2_019E3C8F
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E98B0	0_2_019E98B0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E1CF9	0_2_019E1CF9
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5C00	0_2_019E5C00
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E987D	0_2_019E987D
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5470	0_2_019E5470
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5460	0_2_019E5460
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019EF7A8	0_2_019EF7A8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5BF0	0_2_019E5BF0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E9318	0_2_019E9318
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E9309	0_2_019E9309
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E4A90	0_2_019E4A90
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E4A80	0_2_019E4A80
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E2A10	0_2_019E2A10
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5A10	0_2_019E5A10
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5A20	0_2_019E5A20
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5E78	0_2_019E5E78
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E6A68	0_2_019E6A68
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5E69	0_2_019E5E69
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D56F4	0_2_069D56F4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D3B98	0_2_069D3B98
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D43F8	0_2_069D43F8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D0988	0_2_069D0988
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D43E8	0_2_069D43E8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D1890	0_2_069D1890
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D1880	0_2_069D1880
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D3C58	0_2_069D3C58
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D15D8	0_2_069D15D8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D01E9	0_2_069D01E9
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D15E8	0_2_069D15E8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D097A	0_2_069D097A
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_09331D09	0_2_09331D09
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_09333B80	0_2_09333B80
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A9098	5_2_004A9098
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE9098	6_2_00DE9098
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B2FA8	6_2_030B2FA8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B23A0	6_2_030B23A0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B9A78	6_2_030B9A78
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B8E78	6_2_030B8E78
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030BB6D8	6_2_030BB6D8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B3850	6_2_030B3850
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030BA320	6_2_030BA320
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B9B3F	6_2_030B9B3F
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B306F	6_2_030B306F
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B2F18	13_2_031B2F18
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B1229	13_2_031B1229
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031BFD28	13_2_031BFD28
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B1D90	13_2_031B1D90
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B2594	13_2_031B2594
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B3D80	13_2_031B3D80
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B6031	13_2_031B6031
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031BA420	13_2_031BA420
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B907F	13_2_031B907F
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B9318	13_2_031B9318
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B9309	13_2_031B9309
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031BF7A8	13_2_031BF7A8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5BF0	13_2_031B5BF0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B2A10	13_2_031B2A10
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5A10	13_2_031B5A10
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5A20	13_2_031B5A20
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5E78	13_2_031B5E78
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5E69	13_2_031B5E69
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B6A68	13_2_031B6A68
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B4A90	13_2_031B4A90
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B4A80	13_2_031B4A80
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B6AE3	13_2_031B6AE3
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B010C	13_2_031B010C
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5C00	13_2_031B5C00
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5470	13_2_031B5470
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5460	13_2_031B5460
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B3C9E	13_2_031B3C9E
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B98B0	13_2_031B98B0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B3CA5	13_2_031B3CA5
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B1CF9	13_2_031B1CF9
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B00988	13_2_05B00988
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B03B98	13_2_05B03B98
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B043F8	13_2_05B043F8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B056F4	13_2_05B056F4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B015E8	13_2_05B015E8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B001E9	13_2_05B001E9
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B015D8	13_2_05B015D8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B0097A	13_2_05B0097A
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B01890	13_2_05B01890
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B01880	13_2_05B01880
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B03C58	13_2_05B03C58
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B01370	13_2_05B01370
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_070D1D09	13_2_070D1D09
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_070D3B52	13_2_070D3B52
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_070D3B80	13_2_070D3B80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02982F18	15_2_02982F18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02986031	15_2_02986031
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0298907F	15_2_0298907F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02981D90	15_2_02981D90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02982589	15_2_02982589
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02983D80	15_2_02983D80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_029811B1	15_2_029811B1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0298FD28	15_2_0298FD28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02984A90	15_2_02984A90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02984A80	15_2_02984A80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02982A10	15_2_02982A10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985A10	15_2_02985A10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985A20	15_2_02985A20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985E78	15_2_02985E78
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02986A68	15_2_02986A68
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985E69	15_2_02985E69
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0298F7A8	15_2_0298F7A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985BF0	15_2_02985BF0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02989318	15_2_02989318
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02989309	15_2_02989309
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02983C8F	15_2_02983C8F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_029898B0	15_2_029898B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02981CF9	15_2_02981CF9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985C00	15_2_02985C00
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0298987D	15_2_0298987D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985470	15_2_02985470
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985460	15_2_02985460
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02980102	15_2_02980102
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_05750988	15_2_05750988
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057543F8	15_2_057543F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_05753B98	15_2_05753B98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057556F4	15_2_057556F4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0575097B	15_2_0575097B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057501E9	15_2_057501E9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057515E8	15_2_057515E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057515D8	15_2_057515D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_05753C58	15_2_05753C58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_05751890	15_2_05751890
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_05751880	15_2_05751880
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057543E8	15_2_057543E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0575EAA8	15_2_0575EAA8

PE file contains strange resources

Source: Doc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dEkaSoUjP.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Doc.exe	Binary or memory string: OriginalFilename vs Doc.exe
Source: Doc.exe, 00000000.00000002.272844069.0000000000FCE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs Doc.exe
Source: Doc.exe, 00000000.00000002.284135859.0000000009260000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Doc.exe
Source: Doc.exe, 00000000.00000002.273691048.000000000174A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs Doc.exe
Source: Doc.exe, 00000000.00000002.286908140.0000000009990000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Doc.exe
Source: Doc.exe, 00000000.00000002.278683853.00000000069F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Doc.exe
Source: Doc.exe, 00000000.00000002.288923199.000000000A250000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Doc.exe
Source: Doc.exe, 00000000.00000002.288923199.000000000A250000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Doc.exe
Source: Doc.exe, 00000000.00000002.288764211.000000000A150000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Doc.exe
Source: Doc.exe, 00000005.00000002.270139106.000000000050E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs Doc.exe
Source: Doc.exe, 00000006.00000002.601689511.0000000003100000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Doc.exe
Source: Doc.exe, 00000006.00000002.599703588.0000000000E4E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs Doc.exe
Source: Doc.exe	Binary or memory string: OriginalFilename vs Doc.exe
Source: Doc.exe, 0000000D.00000002.336887567.0000000007050000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Doc.exe
Source: Doc.exe, 0000000D.00000000.282841557.0000000000F2E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs Doc.exe
Source: Doc.exe, 0000000D.00000002.337880178.0000000007AF0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Doc.exe
Source: Doc.exe, 0000000D.00000002.337786520.0000000007870000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Doc.exe
Source: Doc.exe, 0000000D.00000002.337786520.0000000007870000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Doc.exe
Source: Doc.exe, 0000000D.00000002.336155358.0000000006E80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Doc.exe
Source: Doc.exe, 0000000D.00000002.335976902.0000000006E20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Doc.exe
Source: Doc.exe, 00000016.00000002.339689171.0000000004F60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Doc.exe
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Doc.exe
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs Doc.exe
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Doc.exe
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Doc.exe
Source: Doc.exe, 00000016.00000000.319457326.000000000072E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs Doc.exe
Source: Doc.exe	Binary or memory string: OriginalFilename~ vs Doc.exe

Uses 32bit PE files

Source: Doc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: Doc.exe	Static PE information: Section: 2)-Lp$ ZLIB complexity 1.00031404414
Source: dEkaSoUjP.exe.0.dr	Static PE information: Section: 2)-Lp$ ZLIB complexity 1.00031404414
Source: dhcpmon.exe.6.dr	Static PE information: Section: 2)-Lp$ ZLIB complexity 1.00031404414

Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/12@5/3

Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016CA592 AdjustTokenPrivileges,	0_2_016CA592
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016CA55B AdjustTokenPrivileges,	0_2_016CA55B
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_031113F6 AdjustTokenPrivileges,	6_2_031113F6
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_031113BF AdjustTokenPrivileges,	6_2_031113BF
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_0170A592 AdjustTokenPrivileges,	13_2_0170A592
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_0170A55B AdjustTokenPrivileges,	13_2_0170A55B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F0A592 AdjustTokenPrivileges,	15_2_00F0A592
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F0A55B AdjustTokenPrivileges,	15_2_00F0A55B

Source: C:\Users\user\Desktop\Doc.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe

File created: C:\Users\user\AppData\Roaming\dEkaSoUjP.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_01
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\klWoWNDQjWHCoOgJjdNoeVBUO
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_01
Source: C:\Users\user\Desktop\Doc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
Source: C:\Users\user\Desktop\Doc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f54d19ad-33bd-4372-9241-49940a512cfd}

Source: C:\Users\user\Desktop\Doc.exe

File created: C:\Users\user\AppData\Local\Temp\tmp58A2.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Doc.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[MANUF_ORDER] ([ORDER_ID], [EMPLOYEE_ID], [CAR_ID], [MANUFACTURER_ID], [ORDER_DATE], [BILL]) VALUES (@ORDER_ID, @EMPLOYEE_ID, @CAR_ID, @MANUFACTURER_ID, @ORDER_DATE, @BILL);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[EMPLOYEE] SET [EMPLOYEE_ID] = @EMPLOYEE_ID, [EMPLOYEE_NAME] = @EMPLOYEE_NAME, [EMPLOYEE_PASSWORD] = @EMPLOYEE_PASSWORD, [EMPLOYEE_CONTACT] = @EMPLOYEE_CONTACT, [EMPLOYEE_ADDRESS] = @EMPLOYEE_ADDRESS, [EMPLOYEE_EMAIL] = @EMPLOYEE_EMAIL, [EMPLOYEE_DESIGNATION] = @EMPLOYEE_DESIGNATION WHERE (([EMPLOYEE_ID] = @Original_EMPLOYEE_ID) AND ([EMPLOYEE_NAME] = @Original_EMPLOYEE_NAME) AND ([EMPLOYEE_PASSWORD] = @Original_EMPLOYEE_PASSWORD) AND ([EMPLOYEE_CONTACT] = @Original_EMPLOYEE_CONTACT) AND ([EMPLOYEE_ADDRESS] = @Original_EMPLOYEE_ADDRESS) AND ([EMPLOYEE_EMAIL] = @Original_EMPLOYEE_EMAIL) AND ([EMPLOYEE_DESIGNATION] = @Original_EMPLOYEE_DESIGNATION));
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[EMPLOYEE] ([EMPLOYEE_ID], [EMPLOYEE_NAME], [EMPLOYEE_PASSWORD], [EMPLOYEE_CONTACT], [EMPLOYEE_ADDRESS], [EMPLOYEE_EMAIL], [EMPLOYEE_DESIGNATION]) VALUES (@EMPLOYEE_ID, @EMPLOYEE_NAME, @EMPLOYEE_PASSWORD, @EMPLOYEE_CONTACT, @EMPLOYEE_ADDRESS, @EMPLOYEE_EMAIL, @EMPLOYEE_DESIGNATION);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[Car] SET [CAR_ID] = @CAR_ID, [CAR_NAME] = @CAR_NAME, [CAR_MODEL] = @CAR_MODEL, [CAR_COMPANY] = @CAR_COMPANY, [CAR_STATUS] = @CAR_STATUS, [CAR_PRICE] = @CAR_PRICE WHERE (([CAR_ID] = @Original_CAR_ID) AND ([CAR_NAME] = @Original_CAR_NAME) AND ([CAR_MODEL] = @Original_CAR_MODEL) AND ([CAR_COMPANY] = @Original_CAR_COMPANY) AND ([CAR_STATUS] = @Original_CAR_STATUS) AND ([CAR_PRICE] = @Original_CAR_PRICE));
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[MANUFACTURER] ([MANUFACTURER_ID], [MANUFACTURER_NAME], [MANUFACTURER_EMAIL], [MANUFACTURER_ADDRESS], [MANUFACTURER_CONTACT]) VALUES (@MANUFACTURER_ID, @MANUFACTURER_NAME, @MANUFACTURER_EMAIL, @MANUFACTURER_ADDRESS, @MANUFACTURER_CONTACT);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[Car] ([CAR_ID], [CAR_NAME], [CAR_MODEL], [CAR_COMPANY], [CAR_STATUS], [CAR_PRICE]) VALUES (@CAR_ID, @CAR_NAME, @CAR_MODEL, @CAR_COMPANY, @CAR_STATUS, @CAR_PRICE);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[CUSTOMER_ORDER] SET [ORDER_ID] = @ORDER_ID, [EMPLOYEE_ID] = @EMPLOYEE_ID, [CAR_ID] = @CAR_ID, [CUSTOMER_CNIC] = @CUSTOMER_CNIC, [ORDER_DATE] = @ORDER_DATE, [BILL] = @BILL WHERE (([ORDER_ID] = @Original_ORDER_ID) AND ((@IsNull_EMPLOYEE_ID = 1 AND [EMPLOYEE_ID] IS NULL) OR ([EMPLOYEE_ID] = @Original_EMPLOYEE_ID)) AND ((@IsNull_CAR_ID = 1 AND [CAR_ID] IS NULL) OR ([CAR_ID] = @Original_CAR_ID)) AND ((@IsNull_CUSTOMER_CNIC = 1 AND [CUSTOMER_CNIC] IS NULL) OR ([CUSTOMER_CNIC] = @Original_CUSTOMER_CNIC)) AND ([ORDER_DATE] = @Original_ORDER_DATE) AND ([BILL] = @Original_BILL));
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[CUSTOMER] ([CUSTOMER_CNIC], [CUSTOMER_NAME], [CUSTOMER_CONTACT], [CUSTOMER_ADDRESS]) VALUES (@CUSTOMER_CNIC, @CUSTOMER_NAME, @CUSTOMER_CONTACT, @CUSTOMER_ADDRESS);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[CUSTOMER] SET [CUSTOMER_CNIC] = @CUSTOMER_CNIC, [CUSTOMER_NAME] = @CUSTOMER_NAME, [CUSTOMER_CONTACT] = @CUSTOMER_CONTACT, [CUSTOMER_ADDRESS] = @CUSTOMER_ADDRESS WHERE (([CUSTOMER_CNIC] = @Original_CUSTOMER_CNIC) AND ([CUSTOMER_NAME] = @Original_CUSTOMER_NAME) AND ([CUSTOMER_CONTACT] = @Original_CUSTOMER_CONTACT) AND ([CUSTOMER_ADDRESS] = @Original_CUSTOMER_ADDRESS));
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[CUSTOMER_ORDER] ([ORDER_ID], [EMPLOYEE_ID], [CAR_ID], [CUSTOMER_CNIC], [ORDER_DATE], [BILL]) VALUES (@ORDER_ID, @EMPLOYEE_ID, @CAR_ID, @CUSTOMER_CNIC, @ORDER_DATE, @BILL);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[MANUF_ORDER] SET [ORDER_ID] = @ORDER_ID, [EMPLOYEE_ID] = @EMPLOYEE_ID, [CAR_ID] = @CAR_ID, [MANUFACTURER_ID] = @MANUFACTURER_ID, [ORDER_DATE] = @ORDER_DATE, [BILL] = @BILL WHERE (([ORDER_ID] = @Original_ORDER_ID) AND ((@IsNull_EMPLOYEE_ID = 1 AND [EMPLOYEE_ID] IS NULL) OR ([EMPLOYEE_ID] = @Original_EMPLOYEE_ID)) AND ((@IsNull_CAR_ID = 1 AND [CAR_ID] IS NULL) OR ([CAR_ID] = @Original_CAR_ID)) AND ((@IsNull_MANUFACTURER_ID = 1 AND [MANUFACTURER_ID] IS NULL) OR ([MANUFACTURER_ID] = @Original_MANUFACTURER_ID)) AND ([ORDER_DATE] = @Original_ORDER_DATE) AND ([BILL] = @Original_BILL));
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[MANUFACTURER] SET [MANUFACTURER_ID] = @MANUFACTURER_ID, [MANUFACTURER_NAME] = @MANUFACTURER_NAME, [MANUFACTURER_EMAIL] = @MANUFACTURER_EMAIL, [MANUFACTURER_ADDRESS] = @MANUFACTURER_ADDRESS, [MANUFACTURER_CONTACT] = @MANUFACTURER_CONTACT WHERE (([MANUFACTURER_ID] = @Original_MANUFACTURER_ID) AND ([MANUFACTURER_NAME] = @Original_MANUFACTURER_NAME) AND ([MANUFACTURER_EMAIL] = @Original_MANUFACTURER_EMAIL) AND ([MANUFACTURER_ADDRESS] = @Original_MANUFACTURER_ADDRESS) AND ([MANUFACTURER_CONTACT] = @Original_MANUFACTURER_CONTACT));

Source: Doc.exe	Virustotal: Detection: 33%
Source: Doc.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\Doc.exe

File read: C:\Users\user\Desktop\Doc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Doc.exe 'C:\Users\user\Desktop\Doc.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Doc.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\Doc.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD558.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD876.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Doc.exe C:\Users\user\Desktop\Doc.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpB420.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Doc.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD04.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD558.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD876.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpB420.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD04.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: Doc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Doc.exe

Static file information: File size 1530880 > 1048576

Source: C:\Users\user\Desktop\Doc.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Doc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Doc.exe, 00000006.00000002.601742047.0000000003125000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: Doc.exe, 00000000.00000002.284135859.0000000009260000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.335976902.0000000006E20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.329884797.0000000005770000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357185868.00000000078A0000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Doc.exe	Unpacked PE file: 0.2.Doc.exe.e70000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Source: C:\Users\user\Desktop\Doc.exe	Unpacked PE file: 13.2.Doc.exe.dd0000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 15.2.dhcpmon.exe.4a0000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 19.2.dhcpmon.exe.680000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

.NET source code contains potential unpacker

Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Source: initial sample

Static PE information: 0xC7A08D7A [Mon Feb 17 17:59:22 2076 UTC]

PE file contains sections with non-standard names

Source: Doc.exe	Static PE information: section name: 2)-Lp$
Source: Doc.exe	Static PE information: section name:
Source: dEkaSoUjP.exe.0.dr	Static PE information: section name: 2)-Lp$
Source: dEkaSoUjP.exe.0.dr	Static PE information: section name:
Source: dhcpmon.exe.6.dr	Static PE information: section name: 2)-Lp$
Source: dhcpmon.exe.6.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_00EE44BC push edx; ret	0_2_00EE44BD
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_00EE1CB1 push ecx; retf	0_2_00EE1CDB
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_00EE094D push cs; ret	0_2_00EE0969
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_00EE312B push ecx; iretd	0_2_00EE312C
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016C2654 push ss; ret	0_2_016C2676
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016C28C8 push cs; ret	0_2_016C28DA
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016C2DA9 push es; ret	0_2_016C2DAA
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E64B0 push ecx; retf	0_2_019E64B1
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E33DF push edx; ret	0_2_019E33E0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E7314 push eax; iretd	0_2_019E7315
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E1A81 push ecx; iretd	0_2_019E1A89
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A3863 push ebp; ret	5_2_004A38AF
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1867 push es; iretd	5_2_004A1884
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A18DD push es; iretd	5_2_004A18E4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A18EE push es; iretd	5_2_004A1934
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A18B3 push es; iretd	5_2_004A18B4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1946 push es; iretd	5_2_004A1954
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1747 push es; iretd	5_2_004A1754
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1756 push es; iretd	5_2_004A1764
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1766 push es; iretd	5_2_004A1774
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1705 push es; iretd	5_2_004A1744
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1937 push es; iretd	5_2_004A1944
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1797 push es; iretd	5_2_004A17A4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A17A6 push es; iretd	5_2_004A17B4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE18DD push es; iretd	6_2_00DE18E4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE18EE push es; iretd	6_2_00DE1934
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE18B3 push es; iretd	6_2_00DE18B4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE1867 push es; iretd	6_2_00DE1884
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE3863 push ebp; ret	6_2_00DE38AF
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE1797 push es; iretd	6_2_00DE17A4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE17A6 push es; iretd	6_2_00DE17B4

Source: initial sample	Static PE information: section name: 2)-Lp$ entropy: 7.99982367826
Source: initial sample	Static PE information: section name: 2)-Lp$ entropy: 7.99982367826
Source: initial sample	Static PE information: section name: 2)-Lp$ entropy: 7.99982367826

Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Doc.exe	File created: C:\Users\user\AppData\Roaming\dEkaSoUjP.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Doc.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Doc.exe

File opened: C:\Users\user\Desktop\Doc.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 0000000D.00000002.326488687.0000000003667000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.350701608.00000000030AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3720, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 1112, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1(R
Source: Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1(R.:

Contains capabilities to detect virtual machines

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Doc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Doc.exe	Window / User API: threadDelayed 718	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Window / User API: foregroundWindowGot 1164	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Window / User API: foregroundWindowGot 393	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Doc.exe TID: 6064	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 4576	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 3552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 3888	Thread sleep time: -280000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 1100	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 1496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1036	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6332	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 6576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7032	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Doc.exe

Code function: 6_2_0311161A GetSystemInfo,

6_2_0311161A

Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware\|9(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: vmwareX1(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMWARE\|9(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1(r48
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: (r#"SOFTWARE\VMware, Inc.\VMware ToolsX1(rQ8
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware \|9(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: (r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: QEMUX1(r%:

Source: C:\Users\user\Desktop\Doc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Code function: 15_2_00F0A172 CheckRemoteDebuggerPresent,

15_2_00F0A172

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Doc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort	Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\Doc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Doc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Doc.exe	Memory written: C:\Users\user\Desktop\Doc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Memory written: C:\Users\user\Desktop\Doc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD558.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD876.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpB420.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD04.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior

Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
Source: Yara match	File source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: Doc.exe, 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Doc.exe, 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Source: Yara match	File source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
Source: Yara match	File source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_03112DE6 bind,		6_2_03112DE6
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_03112DA5 bind,		6_2_03112DA5

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.111.249.15	unknown	United States		45671	AS45671-NET-AUWholesaleServicesProviderAU	true
154.120.95.234	unknown	Nigeria		37340	SpectranetNG	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
innocentbooii.hopto.org	154.120.95.234	true

AV Detection:

Found malware configuration

Source: Doc.exe.6524.22.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["172.111.249.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for domain / URL

Source: innocentbooii.hopto.org

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\dEkaSoUjP.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: Doc.exe	Virustotal: Detection: 33%			Perma Link
Source: Doc.exe	ReversingLabs: Detection: 39%

Yara detected Nanocore RAT

Source: Yara match	File source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
Source: Yara match	File source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\dEkaSoUjP.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Doc.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.Doc.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 28.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 22.2.Doc.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: Doc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\Doc.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Doc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Doc.exe, 00000006.00000002.601742047.0000000003125000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: Doc.exe, 00000000.00000002.284135859.0000000009260000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.335976902.0000000006E20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.329884797.0000000005770000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357185868.00000000078A0000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Doc.exe

Code function: 4x nop then mov esp, ebp

6_2_030B8930

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 172.111.249.15

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49714 -> 154.120.95.234:55420

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU
Source: Joe Sandbox View	ASN Name: SpectranetNG SpectranetNG

Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.249.15

Source: unknown

DNS traffic detected: queries for: innocentbooii.hopto.org

Source: Doc.exe, 00000000.00000003.245606571.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/CSMDataSet.xsd
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Doc.exe, 00000000.00000003.245285187.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com7
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com_
Source: Doc.exe, 00000000.00000003.245285187.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.come
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comei
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coms
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comy
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Doc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTFe
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: Doc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitud
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoA
Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitul
Source: Doc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrz
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Doc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmp, Doc.exe, 00000000.00000003.244042748.00000000080E0000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Doc.exe, 00000000.00000003.244057616.00000000080E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn&
Source: Doc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Doc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnX
Source: Doc.exe, 00000000.00000003.251014283.00000000080E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 00000000.00000003.251014283.00000000080E6000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Doc.exe, 00000000.00000003.246980374.00000000080DB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/0
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6
Source: Doc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: Doc.exe, 00000000.00000003.246301474.00000000080D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ldZ
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/i-f
Source: Doc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Doc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/6
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/S
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/l
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/k-s
Source: Doc.exe, 00000000.00000003.246461974.00000000080D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/l
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/w
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Doc.exe, 00000000.00000003.245099691.00000000080E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn_
Source: Doc.exe, 00000000.00000003.245099691.00000000080E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cne
Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnk

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Doc.exe, 00000000.00000002.273691048.000000000174A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
Source: Yara match	File source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE

Operating System Destruction:

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\Doc.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

PE file contains section with special chars

Source: Doc.exe	Static PE information: section name: 2)-Lp$
Source: dEkaSoUjP.exe.0.dr	Static PE information: section name: 2)-Lp$
Source: dhcpmon.exe.6.dr	Static PE information: section name: 2)-Lp$

PE file has nameless sections

Source: Doc.exe	Static PE information: section name:
Source: dEkaSoUjP.exe.0.dr	Static PE information: section name:
Source: dhcpmon.exe.6.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016CABEE NtQuerySystemInformation,	0_2_016CABEE
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016CABB3 NtQuerySystemInformation,	0_2_016CABB3
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_03111836 NtQuerySystemInformation,	6_2_03111836
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_03111572 NtSetInformationProcess,	6_2_03111572
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_03111541 NtSetInformationProcess,	6_2_03111541
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_031117FB NtQuerySystemInformation,	6_2_031117FB
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_0170ABEE NtQuerySystemInformation,	13_2_0170ABEE
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_0170ABB3 NtQuerySystemInformation,	13_2_0170ABB3
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F0ABEE NtQuerySystemInformation,	15_2_00F0ABEE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F0ABB3 NtQuerySystemInformation,	15_2_00F0ABB3

Detected potential crypto function

Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E2594	0_2_019E2594
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E1D90	0_2_019E1D90
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E3D80	0_2_019E3D80
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E11B1	0_2_019E11B1
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019EFD28	0_2_019EFD28
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E6031	0_2_019E6031
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E907F	0_2_019E907F
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E2F18	0_2_019E2F18
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E010C	0_2_019E010C
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E3C8F	0_2_019E3C8F
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E98B0	0_2_019E98B0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E1CF9	0_2_019E1CF9
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5C00	0_2_019E5C00
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E987D	0_2_019E987D
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5470	0_2_019E5470
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5460	0_2_019E5460
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019EF7A8	0_2_019EF7A8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5BF0	0_2_019E5BF0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E9318	0_2_019E9318
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E9309	0_2_019E9309
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E4A90	0_2_019E4A90
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E4A80	0_2_019E4A80
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E2A10	0_2_019E2A10
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5A10	0_2_019E5A10
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5A20	0_2_019E5A20
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5E78	0_2_019E5E78
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E6A68	0_2_019E6A68
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E5E69	0_2_019E5E69
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D56F4	0_2_069D56F4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D3B98	0_2_069D3B98
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D43F8	0_2_069D43F8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D0988	0_2_069D0988
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D43E8	0_2_069D43E8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D1890	0_2_069D1890
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D1880	0_2_069D1880
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D3C58	0_2_069D3C58
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D15D8	0_2_069D15D8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D01E9	0_2_069D01E9
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D15E8	0_2_069D15E8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_069D097A	0_2_069D097A
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_09331D09	0_2_09331D09
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_09333B80	0_2_09333B80
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A9098	5_2_004A9098
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE9098	6_2_00DE9098
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B2FA8	6_2_030B2FA8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B23A0	6_2_030B23A0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B9A78	6_2_030B9A78
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B8E78	6_2_030B8E78
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030BB6D8	6_2_030BB6D8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B3850	6_2_030B3850
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030BA320	6_2_030BA320
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B9B3F	6_2_030B9B3F
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_030B306F	6_2_030B306F
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B2F18	13_2_031B2F18
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B1229	13_2_031B1229
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031BFD28	13_2_031BFD28
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B1D90	13_2_031B1D90
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B2594	13_2_031B2594
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B3D80	13_2_031B3D80
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B6031	13_2_031B6031
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031BA420	13_2_031BA420
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B907F	13_2_031B907F
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B9318	13_2_031B9318
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B9309	13_2_031B9309
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031BF7A8	13_2_031BF7A8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5BF0	13_2_031B5BF0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B2A10	13_2_031B2A10
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5A10	13_2_031B5A10
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5A20	13_2_031B5A20
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5E78	13_2_031B5E78
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5E69	13_2_031B5E69
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B6A68	13_2_031B6A68
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B4A90	13_2_031B4A90
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B4A80	13_2_031B4A80
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B6AE3	13_2_031B6AE3
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B010C	13_2_031B010C
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5C00	13_2_031B5C00
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5470	13_2_031B5470
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B5460	13_2_031B5460
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B3C9E	13_2_031B3C9E
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B98B0	13_2_031B98B0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B3CA5	13_2_031B3CA5
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_031B1CF9	13_2_031B1CF9
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B00988	13_2_05B00988
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B03B98	13_2_05B03B98
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B043F8	13_2_05B043F8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B056F4	13_2_05B056F4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B015E8	13_2_05B015E8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B001E9	13_2_05B001E9
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B015D8	13_2_05B015D8
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B0097A	13_2_05B0097A
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B01890	13_2_05B01890
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B01880	13_2_05B01880
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B03C58	13_2_05B03C58
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_05B01370	13_2_05B01370
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_070D1D09	13_2_070D1D09
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_070D3B52	13_2_070D3B52
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_070D3B80	13_2_070D3B80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02982F18	15_2_02982F18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02986031	15_2_02986031
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0298907F	15_2_0298907F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02981D90	15_2_02981D90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02982589	15_2_02982589
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02983D80	15_2_02983D80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_029811B1	15_2_029811B1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0298FD28	15_2_0298FD28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02984A90	15_2_02984A90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02984A80	15_2_02984A80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02982A10	15_2_02982A10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985A10	15_2_02985A10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985A20	15_2_02985A20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985E78	15_2_02985E78
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02986A68	15_2_02986A68
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985E69	15_2_02985E69
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0298F7A8	15_2_0298F7A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985BF0	15_2_02985BF0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02989318	15_2_02989318
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02989309	15_2_02989309
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02983C8F	15_2_02983C8F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_029898B0	15_2_029898B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02981CF9	15_2_02981CF9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985C00	15_2_02985C00
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0298987D	15_2_0298987D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985470	15_2_02985470
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02985460	15_2_02985460
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02980102	15_2_02980102
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_05750988	15_2_05750988
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057543F8	15_2_057543F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_05753B98	15_2_05753B98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057556F4	15_2_057556F4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0575097B	15_2_0575097B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057501E9	15_2_057501E9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057515E8	15_2_057515E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057515D8	15_2_057515D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_05753C58	15_2_05753C58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_05751890	15_2_05751890
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_05751880	15_2_05751880
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_057543E8	15_2_057543E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_0575EAA8	15_2_0575EAA8

PE file contains strange resources

Source: Doc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dEkaSoUjP.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Doc.exe	Binary or memory string: OriginalFilename vs Doc.exe
Source: Doc.exe, 00000000.00000002.272844069.0000000000FCE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs Doc.exe
Source: Doc.exe, 00000000.00000002.284135859.0000000009260000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Doc.exe
Source: Doc.exe, 00000000.00000002.273691048.000000000174A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs Doc.exe
Source: Doc.exe, 00000000.00000002.286908140.0000000009990000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Doc.exe
Source: Doc.exe, 00000000.00000002.278683853.00000000069F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Doc.exe
Source: Doc.exe, 00000000.00000002.288923199.000000000A250000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Doc.exe
Source: Doc.exe, 00000000.00000002.288923199.000000000A250000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Doc.exe
Source: Doc.exe, 00000000.00000002.288764211.000000000A150000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Doc.exe
Source: Doc.exe, 00000005.00000002.270139106.000000000050E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs Doc.exe
Source: Doc.exe, 00000006.00000002.601689511.0000000003100000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Doc.exe
Source: Doc.exe, 00000006.00000002.599703588.0000000000E4E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs Doc.exe
Source: Doc.exe	Binary or memory string: OriginalFilename vs Doc.exe
Source: Doc.exe, 0000000D.00000002.336887567.0000000007050000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Doc.exe
Source: Doc.exe, 0000000D.00000000.282841557.0000000000F2E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs Doc.exe
Source: Doc.exe, 0000000D.00000002.337880178.0000000007AF0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Doc.exe
Source: Doc.exe, 0000000D.00000002.337786520.0000000007870000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Doc.exe
Source: Doc.exe, 0000000D.00000002.337786520.0000000007870000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Doc.exe
Source: Doc.exe, 0000000D.00000002.336155358.0000000006E80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Doc.exe
Source: Doc.exe, 0000000D.00000002.335976902.0000000006E20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Doc.exe
Source: Doc.exe, 00000016.00000002.339689171.0000000004F60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Doc.exe
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Doc.exe
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs Doc.exe
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Doc.exe
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Doc.exe
Source: Doc.exe, 00000016.00000000.319457326.000000000072E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs Doc.exe
Source: Doc.exe	Binary or memory string: OriginalFilename~ vs Doc.exe

Uses 32bit PE files

Source: Doc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: Doc.exe	Static PE information: Section: 2)-Lp$ ZLIB complexity 1.00031404414
Source: dEkaSoUjP.exe.0.dr	Static PE information: Section: 2)-Lp$ ZLIB complexity 1.00031404414
Source: dhcpmon.exe.6.dr	Static PE information: Section: 2)-Lp$ ZLIB complexity 1.00031404414

Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/12@5/3

Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016CA592 AdjustTokenPrivileges,	0_2_016CA592
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016CA55B AdjustTokenPrivileges,	0_2_016CA55B
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_031113F6 AdjustTokenPrivileges,	6_2_031113F6
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_031113BF AdjustTokenPrivileges,	6_2_031113BF
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_0170A592 AdjustTokenPrivileges,	13_2_0170A592
Source: C:\Users\user\Desktop\Doc.exe	Code function: 13_2_0170A55B AdjustTokenPrivileges,	13_2_0170A55B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F0A592 AdjustTokenPrivileges,	15_2_00F0A592
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F0A55B AdjustTokenPrivileges,	15_2_00F0A55B

Source: C:\Users\user\Desktop\Doc.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe

File created: C:\Users\user\AppData\Roaming\dEkaSoUjP.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_01
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\klWoWNDQjWHCoOgJjdNoeVBUO
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_01
Source: C:\Users\user\Desktop\Doc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
Source: C:\Users\user\Desktop\Doc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f54d19ad-33bd-4372-9241-49940a512cfd}

Source: C:\Users\user\Desktop\Doc.exe

File created: C:\Users\user\AppData\Local\Temp\tmp58A2.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Doc.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[MANUF_ORDER] ([ORDER_ID], [EMPLOYEE_ID], [CAR_ID], [MANUFACTURER_ID], [ORDER_DATE], [BILL]) VALUES (@ORDER_ID, @EMPLOYEE_ID, @CAR_ID, @MANUFACTURER_ID, @ORDER_DATE, @BILL);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[EMPLOYEE] SET [EMPLOYEE_ID] = @EMPLOYEE_ID, [EMPLOYEE_NAME] = @EMPLOYEE_NAME, [EMPLOYEE_PASSWORD] = @EMPLOYEE_PASSWORD, [EMPLOYEE_CONTACT] = @EMPLOYEE_CONTACT, [EMPLOYEE_ADDRESS] = @EMPLOYEE_ADDRESS, [EMPLOYEE_EMAIL] = @EMPLOYEE_EMAIL, [EMPLOYEE_DESIGNATION] = @EMPLOYEE_DESIGNATION WHERE (([EMPLOYEE_ID] = @Original_EMPLOYEE_ID) AND ([EMPLOYEE_NAME] = @Original_EMPLOYEE_NAME) AND ([EMPLOYEE_PASSWORD] = @Original_EMPLOYEE_PASSWORD) AND ([EMPLOYEE_CONTACT] = @Original_EMPLOYEE_CONTACT) AND ([EMPLOYEE_ADDRESS] = @Original_EMPLOYEE_ADDRESS) AND ([EMPLOYEE_EMAIL] = @Original_EMPLOYEE_EMAIL) AND ([EMPLOYEE_DESIGNATION] = @Original_EMPLOYEE_DESIGNATION));
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[EMPLOYEE] ([EMPLOYEE_ID], [EMPLOYEE_NAME], [EMPLOYEE_PASSWORD], [EMPLOYEE_CONTACT], [EMPLOYEE_ADDRESS], [EMPLOYEE_EMAIL], [EMPLOYEE_DESIGNATION]) VALUES (@EMPLOYEE_ID, @EMPLOYEE_NAME, @EMPLOYEE_PASSWORD, @EMPLOYEE_CONTACT, @EMPLOYEE_ADDRESS, @EMPLOYEE_EMAIL, @EMPLOYEE_DESIGNATION);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[Car] SET [CAR_ID] = @CAR_ID, [CAR_NAME] = @CAR_NAME, [CAR_MODEL] = @CAR_MODEL, [CAR_COMPANY] = @CAR_COMPANY, [CAR_STATUS] = @CAR_STATUS, [CAR_PRICE] = @CAR_PRICE WHERE (([CAR_ID] = @Original_CAR_ID) AND ([CAR_NAME] = @Original_CAR_NAME) AND ([CAR_MODEL] = @Original_CAR_MODEL) AND ([CAR_COMPANY] = @Original_CAR_COMPANY) AND ([CAR_STATUS] = @Original_CAR_STATUS) AND ([CAR_PRICE] = @Original_CAR_PRICE));
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[MANUFACTURER] ([MANUFACTURER_ID], [MANUFACTURER_NAME], [MANUFACTURER_EMAIL], [MANUFACTURER_ADDRESS], [MANUFACTURER_CONTACT]) VALUES (@MANUFACTURER_ID, @MANUFACTURER_NAME, @MANUFACTURER_EMAIL, @MANUFACTURER_ADDRESS, @MANUFACTURER_CONTACT);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[Car] ([CAR_ID], [CAR_NAME], [CAR_MODEL], [CAR_COMPANY], [CAR_STATUS], [CAR_PRICE]) VALUES (@CAR_ID, @CAR_NAME, @CAR_MODEL, @CAR_COMPANY, @CAR_STATUS, @CAR_PRICE);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[CUSTOMER_ORDER] SET [ORDER_ID] = @ORDER_ID, [EMPLOYEE_ID] = @EMPLOYEE_ID, [CAR_ID] = @CAR_ID, [CUSTOMER_CNIC] = @CUSTOMER_CNIC, [ORDER_DATE] = @ORDER_DATE, [BILL] = @BILL WHERE (([ORDER_ID] = @Original_ORDER_ID) AND ((@IsNull_EMPLOYEE_ID = 1 AND [EMPLOYEE_ID] IS NULL) OR ([EMPLOYEE_ID] = @Original_EMPLOYEE_ID)) AND ((@IsNull_CAR_ID = 1 AND [CAR_ID] IS NULL) OR ([CAR_ID] = @Original_CAR_ID)) AND ((@IsNull_CUSTOMER_CNIC = 1 AND [CUSTOMER_CNIC] IS NULL) OR ([CUSTOMER_CNIC] = @Original_CUSTOMER_CNIC)) AND ([ORDER_DATE] = @Original_ORDER_DATE) AND ([BILL] = @Original_BILL));
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[CUSTOMER] ([CUSTOMER_CNIC], [CUSTOMER_NAME], [CUSTOMER_CONTACT], [CUSTOMER_ADDRESS]) VALUES (@CUSTOMER_CNIC, @CUSTOMER_NAME, @CUSTOMER_CONTACT, @CUSTOMER_ADDRESS);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[CUSTOMER] SET [CUSTOMER_CNIC] = @CUSTOMER_CNIC, [CUSTOMER_NAME] = @CUSTOMER_NAME, [CUSTOMER_CONTACT] = @CUSTOMER_CONTACT, [CUSTOMER_ADDRESS] = @CUSTOMER_ADDRESS WHERE (([CUSTOMER_CNIC] = @Original_CUSTOMER_CNIC) AND ([CUSTOMER_NAME] = @Original_CUSTOMER_NAME) AND ([CUSTOMER_CONTACT] = @Original_CUSTOMER_CONTACT) AND ([CUSTOMER_ADDRESS] = @Original_CUSTOMER_ADDRESS));
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO [dbo].[CUSTOMER_ORDER] ([ORDER_ID], [EMPLOYEE_ID], [CAR_ID], [CUSTOMER_CNIC], [ORDER_DATE], [BILL]) VALUES (@ORDER_ID, @EMPLOYEE_ID, @CAR_ID, @CUSTOMER_CNIC, @ORDER_DATE, @BILL);
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[MANUF_ORDER] SET [ORDER_ID] = @ORDER_ID, [EMPLOYEE_ID] = @EMPLOYEE_ID, [CAR_ID] = @CAR_ID, [MANUFACTURER_ID] = @MANUFACTURER_ID, [ORDER_DATE] = @ORDER_DATE, [BILL] = @BILL WHERE (([ORDER_ID] = @Original_ORDER_ID) AND ((@IsNull_EMPLOYEE_ID = 1 AND [EMPLOYEE_ID] IS NULL) OR ([EMPLOYEE_ID] = @Original_EMPLOYEE_ID)) AND ((@IsNull_CAR_ID = 1 AND [CAR_ID] IS NULL) OR ([CAR_ID] = @Original_CAR_ID)) AND ((@IsNull_MANUFACTURER_ID = 1 AND [MANUFACTURER_ID] IS NULL) OR ([MANUFACTURER_ID] = @Original_MANUFACTURER_ID)) AND ([ORDER_DATE] = @Original_ORDER_DATE) AND ([BILL] = @Original_BILL));
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmp	Binary or memory string: UPDATE [dbo].[MANUFACTURER] SET [MANUFACTURER_ID] = @MANUFACTURER_ID, [MANUFACTURER_NAME] = @MANUFACTURER_NAME, [MANUFACTURER_EMAIL] = @MANUFACTURER_EMAIL, [MANUFACTURER_ADDRESS] = @MANUFACTURER_ADDRESS, [MANUFACTURER_CONTACT] = @MANUFACTURER_CONTACT WHERE (([MANUFACTURER_ID] = @Original_MANUFACTURER_ID) AND ([MANUFACTURER_NAME] = @Original_MANUFACTURER_NAME) AND ([MANUFACTURER_EMAIL] = @Original_MANUFACTURER_EMAIL) AND ([MANUFACTURER_ADDRESS] = @Original_MANUFACTURER_ADDRESS) AND ([MANUFACTURER_CONTACT] = @Original_MANUFACTURER_CONTACT));

Source: Doc.exe	Virustotal: Detection: 33%
Source: Doc.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\Doc.exe

File read: C:\Users\user\Desktop\Doc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Doc.exe 'C:\Users\user\Desktop\Doc.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Doc.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\Doc.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD558.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD876.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Doc.exe C:\Users\user\Desktop\Doc.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpB420.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Doc.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD04.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD558.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD876.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpB420.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD04.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: Doc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Doc.exe

Static file information: File size 1530880 > 1048576

Source: C:\Users\user\Desktop\Doc.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Doc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Doc.exe, 00000006.00000002.601742047.0000000003125000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: Doc.exe, 00000000.00000002.284135859.0000000009260000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.335976902.0000000006E20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.329884797.0000000005770000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357185868.00000000078A0000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Doc.exe	Unpacked PE file: 0.2.Doc.exe.e70000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Source: C:\Users\user\Desktop\Doc.exe	Unpacked PE file: 13.2.Doc.exe.dd0000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 15.2.dhcpmon.exe.4a0000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 19.2.dhcpmon.exe.680000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

.NET source code contains potential unpacker

Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Source: initial sample

Static PE information: 0xC7A08D7A [Mon Feb 17 17:59:22 2076 UTC]

PE file contains sections with non-standard names

Source: Doc.exe	Static PE information: section name: 2)-Lp$
Source: Doc.exe	Static PE information: section name:
Source: dEkaSoUjP.exe.0.dr	Static PE information: section name: 2)-Lp$
Source: dEkaSoUjP.exe.0.dr	Static PE information: section name:
Source: dhcpmon.exe.6.dr	Static PE information: section name: 2)-Lp$
Source: dhcpmon.exe.6.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_00EE44BC push edx; ret	0_2_00EE44BD
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_00EE1CB1 push ecx; retf	0_2_00EE1CDB
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_00EE094D push cs; ret	0_2_00EE0969
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_00EE312B push ecx; iretd	0_2_00EE312C
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016C2654 push ss; ret	0_2_016C2676
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016C28C8 push cs; ret	0_2_016C28DA
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_016C2DA9 push es; ret	0_2_016C2DAA
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E64B0 push ecx; retf	0_2_019E64B1
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E33DF push edx; ret	0_2_019E33E0
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E7314 push eax; iretd	0_2_019E7315
Source: C:\Users\user\Desktop\Doc.exe	Code function: 0_2_019E1A81 push ecx; iretd	0_2_019E1A89
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A3863 push ebp; ret	5_2_004A38AF
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1867 push es; iretd	5_2_004A1884
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A18DD push es; iretd	5_2_004A18E4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A18EE push es; iretd	5_2_004A1934
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A18B3 push es; iretd	5_2_004A18B4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1946 push es; iretd	5_2_004A1954
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1747 push es; iretd	5_2_004A1754
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1756 push es; iretd	5_2_004A1764
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1766 push es; iretd	5_2_004A1774
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1705 push es; iretd	5_2_004A1744
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1937 push es; iretd	5_2_004A1944
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A1797 push es; iretd	5_2_004A17A4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 5_2_004A17A6 push es; iretd	5_2_004A17B4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE18DD push es; iretd	6_2_00DE18E4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE18EE push es; iretd	6_2_00DE1934
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE18B3 push es; iretd	6_2_00DE18B4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE1867 push es; iretd	6_2_00DE1884
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE3863 push ebp; ret	6_2_00DE38AF
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE1797 push es; iretd	6_2_00DE17A4
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_00DE17A6 push es; iretd	6_2_00DE17B4

Source: initial sample	Static PE information: section name: 2)-Lp$ entropy: 7.99982367826
Source: initial sample	Static PE information: section name: 2)-Lp$ entropy: 7.99982367826
Source: initial sample	Static PE information: section name: 2)-Lp$ entropy: 7.99982367826

Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Doc.exe	File created: C:\Users\user\AppData\Roaming\dEkaSoUjP.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Doc.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Doc.exe

File opened: C:\Users\user\Desktop\Doc.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 0000000D.00000002.326488687.0000000003667000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.350701608.00000000030AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3720, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 1112, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1(R
Source: Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1(R.:

Contains capabilities to detect virtual machines

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Doc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Doc.exe	Window / User API: threadDelayed 718	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Window / User API: foregroundWindowGot 1164	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Window / User API: foregroundWindowGot 393	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Doc.exe TID: 6064	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 4576	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 3552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 3888	Thread sleep time: -280000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 1100	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 1496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1036	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6332	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe TID: 6576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7032	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Doc.exe

Code function: 6_2_0311161A GetSystemInfo,

6_2_0311161A

Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware\|9(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: vmwareX1(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMWARE\|9(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1(r48
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: (r#"SOFTWARE\VMware, Inc.\VMware ToolsX1(rQ8
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware \|9(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: (r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1(r
Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmp	Binary or memory string: QEMUX1(r%:

Source: C:\Users\user\Desktop\Doc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Code function: 15_2_00F0A172 CheckRemoteDebuggerPresent,

15_2_00F0A172

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Doc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort	Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\Doc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Doc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Doc.exe	Memory written: C:\Users\user\Desktop\Doc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Memory written: C:\Users\user\Desktop\Doc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD558.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD876.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpB420.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Process created: C:\Users\user\Desktop\Doc.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD04.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior

Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
Source: Yara match	File source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: Doc.exe, 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Doc.exe, 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Source: Yara match	File source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
Source: Yara match	File source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_03112DE6 bind,		6_2_03112DE6
Source: C:\Users\user\Desktop\Doc.exe	Code function: 6_2_03112DA5 bind,		6_2_03112DA5

ID:	341408
Product:	CloudBasic
Start time:	10:22:14
Start date:	19.01.2021
Sample:	Doc.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c853495818db3fddf333ce3eaf5e6cc3
SHA1:	51dfa28d2bf0af44de903fa80e4458110155f34b
SHA256:	799087f4f62932dbe6405946e5fc9215c9df899909c15f0c1d876ec28e9436b0
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C853495818DB3FDDF333CE3EAF5E6CC3	51DFA28D2BF0AF44DE903FA80E4458110155F34B	799087F4F62932DBE6405946E5FC9215C9DF899909C15F0C1D876EC28E9436B0
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Doc.exe.log	ASCII text, with CRLF line terminators	61CCF53571C9ABA6511D696CB0D32E45	A13A42A20EC14942F52DB20FB16A0A520F8183CE	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log	ASCII text, with CRLF line terminators	61CCF53571C9ABA6511D696CB0D32E45	A13A42A20EC14942F52DB20FB16A0A520F8183CE	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Temp\tmp58A2.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	CE1BE564A3A2FC5A84B77D871C48403A	72FCBAD1A719615F75EA5DB50F5E2C42C057B408	E658B7A017F5F96155CFEEFB68260E340ACA2185A4C3CB59FA5933B327C93A15
C:\Users\user\AppData\Local\Temp\tmpB420.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	CE1BE564A3A2FC5A84B77D871C48403A	72FCBAD1A719615F75EA5DB50F5E2C42C057B408	E658B7A017F5F96155CFEEFB68260E340ACA2185A4C3CB59FA5933B327C93A15
C:\Users\user\AppData\Local\Temp\tmpD558.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	A248EE7904DBB7192DE9B87A0C445935	46D3C56F28A5D6E8AE17F722D37D1F9A7E28D851	A17BEEC25E493B9B4B2534770C25F2E667F8449891066819113B6E5DB3FF68FA
C:\Users\user\AppData\Local\Temp\tmpD876.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	5C2F41CFC6F988C859DA7D727AC2B62A	68999C85FC7E37BAB9216E0099836D40D4545C1C	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Local\Temp\tmpDD04.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	CE1BE564A3A2FC5A84B77D871C48403A	72FCBAD1A719615F75EA5DB50F5E2C42C057B408	E658B7A017F5F96155CFEEFB68260E340ACA2185A4C3CB59FA5933B327C93A15
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	data	0F537B5F4F20482B8B769AE429A9ACAE	1BD898059B9938529CFF3208C1FE31F641C84C2C	CCFF37E420E56A6BB38FE3FFCE46C9CCA7C4FA64A4FA49F65925911D0680B693
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat	ASCII text, with no line terminators	6DDAF09443278775838A4E5FC0A80DF6	9CD9265F32A1D9636E886A0D8D178C79F7D28026	550B94662EDD56B552AE175CD834E72FDCB11F2F01EC1680797E251857F679E8
C:\Users\user\AppData\Roaming\dEkaSoUjP.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C853495818DB3FDDF333CE3EAF5E6CC3	51DFA28D2BF0AF44DE903FA80E4458110155F34B	799087F4F62932DBE6405946E5FC9215C9DF899909C15F0C1D876EC28E9436B0

Analysis Report Doc.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Operating System Destruction:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains