Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Doc.exe

Overview

General Information

Sample Name:Doc.exe
Analysis ID:341408
MD5:c853495818db3fddf333ce3eaf5e6cc3
SHA1:51dfa28d2bf0af44de903fa80e4458110155f34b
SHA256:799087f4f62932dbe6405946e5fc9215c9df899909c15f0c1d876ec28e9436b0
Tags:exeNanoCoreRATYahoo

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Doc.exe (PID: 1460 cmdline: 'C:\Users\user\Desktop\Doc.exe' MD5: C853495818DB3FDDF333CE3EAF5E6CC3)
    • schtasks.exe (PID: 5744 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Doc.exe (PID: 5784 cmdline: {path} MD5: C853495818DB3FDDF333CE3EAF5E6CC3)
    • Doc.exe (PID: 3848 cmdline: {path} MD5: C853495818DB3FDDF333CE3EAF5E6CC3)
      • schtasks.exe (PID: 5536 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD558.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5316 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD876.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Doc.exe (PID: 1112 cmdline: C:\Users\user\Desktop\Doc.exe 0 MD5: C853495818DB3FDDF333CE3EAF5E6CC3)
    • schtasks.exe (PID: 6476 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpB420.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Doc.exe (PID: 6524 cmdline: {path} MD5: C853495818DB3FDDF333CE3EAF5E6CC3)
  • dhcpmon.exe (PID: 3720 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: C853495818DB3FDDF333CE3EAF5E6CC3)
  • dhcpmon.exe (PID: 6328 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: C853495818DB3FDDF333CE3EAF5E6CC3)
    • schtasks.exe (PID: 6848 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD04.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6928 cmdline: {path} MD5: C853495818DB3FDDF333CE3EAF5E6CC3)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["172.111.249.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x4ea7d:$a: NanoCore
    • 0x4ead6:$a: NanoCore
    • 0x4eb13:$a: NanoCore
    • 0x4eb8c:$a: NanoCore
    • 0x54121:$a: NanoCore
    • 0x5416b:$a: NanoCore
    • 0x54355:$a: NanoCore
    • 0x67c74:$a: NanoCore
    • 0x67c89:$a: NanoCore
    • 0x67cbe:$a: NanoCore
    • 0x80c13:$a: NanoCore
    • 0x80c28:$a: NanoCore
    • 0x80c5d:$a: NanoCore
    • 0x4eadf:$b: ClientPlugin
    • 0x4eb1c:$b: ClientPlugin
    • 0x4f41a:$b: ClientPlugin
    • 0x4f427:$b: ClientPlugin
    • 0x53eba:$b: ClientPlugin
    • 0x5412a:$b: ClientPlugin
    • 0x54174:$b: ClientPlugin
    • 0x67a30:$b: ClientPlugin
    00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x4ea7d:$a: NanoCore
      • 0x4ead6:$a: NanoCore
      • 0x4eb13:$a: NanoCore
      • 0x4eb8c:$a: NanoCore
      • 0x54121:$a: NanoCore
      • 0x5416b:$a: NanoCore
      • 0x54355:$a: NanoCore
      • 0x67c74:$a: NanoCore
      • 0x67c89:$a: NanoCore
      • 0x67cbe:$a: NanoCore
      • 0x80c13:$a: NanoCore
      • 0x80c28:$a: NanoCore
      • 0x80c5d:$a: NanoCore
      • 0x4eadf:$b: ClientPlugin
      • 0x4eb1c:$b: ClientPlugin
      • 0x4f41a:$b: ClientPlugin
      • 0x4f427:$b: ClientPlugin
      • 0x53eba:$b: ClientPlugin
      • 0x5412a:$b: ClientPlugin
      • 0x54174:$b: ClientPlugin
      • 0x67a30:$b: ClientPlugin
      0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 38 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      28.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      28.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      28.2.dhcpmon.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        28.2.dhcpmon.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        6.2.Doc.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Doc.exe, ProcessId: 3848, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Doc.exe' , ParentImage: C:\Users\user\Desktop\Doc.exe, ParentProcessId: 1460, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp', ProcessId: 5744

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: Doc.exe.6524.22.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["172.111.249.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: innocentbooii.hopto.orgVirustotal: Detection: 9%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 39%
        Source: C:\Users\user\AppData\Roaming\dEkaSoUjP.exeReversingLabs: Detection: 39%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Doc.exeVirustotal: Detection: 33%Perma Link
        Source: Doc.exeReversingLabs: Detection: 39%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
        Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\dEkaSoUjP.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Doc.exeJoe Sandbox ML: detected
        Source: 6.2.Doc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 28.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.2.Doc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: Doc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Uses new MSVCR DllsShow sources
        Source: C:\Users\user\Desktop\Doc.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: Doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp
        Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Doc.exe, 00000006.00000002.601742047.0000000003125000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: Doc.exe, 00000000.00000002.284135859.0000000009260000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.335976902.0000000006E20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.329884797.0000000005770000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357185868.00000000078A0000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\Doc.exeCode function: 4x nop then mov esp, ebp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 172.111.249.15
        Source: global trafficTCP traffic: 192.168.2.5:49714 -> 154.120.95.234:55420
        Source: Joe Sandbox ViewASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU
        Source: Joe Sandbox ViewASN Name: SpectranetNG SpectranetNG
        Source: unknownTCP traffic detected without corresponding DNS query: 172.111.249.15
        Source: unknownTCP traffic detected without corresponding DNS query: 172.111.249.15
        Source: unknownTCP traffic detected without corresponding DNS query: 172.111.249.15
        Source: unknownTCP traffic detected without corresponding DNS query: 172.111.249.15
        Source: unknownTCP traffic detected without corresponding DNS query: 172.111.249.15
        Source: unknownTCP traffic detected without corresponding DNS query: 172.111.249.15
        Source: unknownTCP traffic detected without corresponding DNS query: 172.111.249.15
        Source: unknownTCP traffic detected without corresponding DNS query: 172.111.249.15
        Source: unknownTCP traffic detected without corresponding DNS query: 172.111.249.15
        Source: unknownDNS traffic detected: queries for: innocentbooii.hopto.org
        Source: Doc.exe, 00000000.00000003.245606571.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://en.w
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/CSMDataSet.xsd
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: Doc.exe, 00000000.00000003.245285187.00000000080E1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com7
        Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com_
        Source: Doc.exe, 00000000.00000003.245285187.00000000080E1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
        Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comei
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
        Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coms
        Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comy
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: Doc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFe
        Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
        Source: Doc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
        Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
        Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
        Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
        Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoA
        Source: Doc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitul
        Source: Doc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrz
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: Doc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmp, Doc.exe, 00000000.00000003.244042748.00000000080E0000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: Doc.exe, 00000000.00000003.244057616.00000000080E6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn&
        Source: Doc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: Doc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnX
        Source: Doc.exe, 00000000.00000003.251014283.00000000080E6000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 00000000.00000003.251014283.00000000080E6000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: Doc.exe, 00000000.00000003.246980374.00000000080DB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$
        Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
        Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
        Source: Doc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/A
        Source: Doc.exe, 00000000.00000003.246301474.00000000080D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
        Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ldZ
        Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i-f
        Source: Doc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: Doc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/6
        Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
        Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/S
        Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/l
        Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k-s
        Source: Doc.exe, 00000000.00000003.246461974.00000000080D7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
        Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
        Source: Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: Doc.exe, 00000000.00000003.245099691.00000000080E0000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn_
        Source: Doc.exe, 00000000.00000003.245099691.00000000080E0000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cne
        Source: Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnk
        Source: Doc.exe, 00000000.00000002.273691048.000000000174A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
        Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE

        Operating System Destruction:

        barindex
        Protects its processes via BreakOnTermination flagShow sources
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: 01 00 00 00

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        PE file contains section with special charsShow sources
        Source: Doc.exeStatic PE information: section name: 2)-Lp$
        Source: dEkaSoUjP.exe.0.drStatic PE information: section name: 2)-Lp$
        Source: dhcpmon.exe.6.drStatic PE information: section name: 2)-Lp$
        PE file has nameless sectionsShow sources
        Source: Doc.exeStatic PE information: section name:
        Source: dEkaSoUjP.exe.0.drStatic PE information: section name:
        Source: dhcpmon.exe.6.drStatic PE information: section name:
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_016CABEE NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_016CABB3 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_03111836 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_03111572 NtSetInformationProcess,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_03111541 NtSetInformationProcess,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_031117FB NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_0170ABEE NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_0170ABB3 NtQuerySystemInformation,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00F0ABEE NtQuerySystemInformation,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00F0ABB3 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E2594
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E1D90
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E3D80
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E11B1
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019EFD28
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E6031
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E907F
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E2F18
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E010C
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E3C8F
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E98B0
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E1CF9
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E5C00
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E987D
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E5470
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E5460
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019EF7A8
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E5BF0
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E9318
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E9309
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E4A90
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E4A80
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E2A10
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E5A10
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E5A20
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E5E78
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E6A68
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E5E69
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D56F4
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D3B98
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D43F8
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D0988
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D43E8
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D1890
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D1880
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D3C58
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D15D8
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D01E9
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D15E8
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_069D097A
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_09331D09
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_09333B80
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A9098
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_00DE9098
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_030B2FA8
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_030B23A0
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_030B9A78
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_030B8E78
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_030BB6D8
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_030B3850
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_030BA320
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_030B9B3F
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_030B306F
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B2F18
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B1229
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031BFD28
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B1D90
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B2594
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B3D80
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B6031
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031BA420
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B907F
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B9318
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B9309
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031BF7A8
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B5BF0
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B2A10
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B5A10
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B5A20
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B5E78
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B5E69
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B6A68
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B4A90
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B4A80
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B6AE3
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B010C
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B5C00
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B5470
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B5460
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B3C9E
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B98B0
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B3CA5
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_031B1CF9
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B00988
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B03B98
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B043F8
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B056F4
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B015E8
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B001E9
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B015D8
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B0097A
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B01890
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B01880
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B03C58
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_05B01370
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_070D1D09
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_070D3B52
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_070D3B80
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02982F18
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02986031
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0298907F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02981D90
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02982589
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02983D80
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_029811B1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0298FD28
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02984A90
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02984A80
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02982A10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02985A10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02985A20
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02985E78
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02986A68
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02985E69
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0298F7A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02985BF0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02989318
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02989309
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02983C8F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_029898B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02981CF9
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02985C00
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0298987D
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02985470
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02985460
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02980102
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05750988
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_057543F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05753B98
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_057556F4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0575097B
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_057501E9
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_057515E8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_057515D8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05753C58
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05751890
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05751880
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_057543E8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0575EAA8
        Source: Doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dEkaSoUjP.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Doc.exeBinary or memory string: OriginalFilename vs Doc.exe
        Source: Doc.exe, 00000000.00000002.272844069.0000000000FCE000.00000002.00020000.sdmpBinary or memory string: OriginalFilename~ vs Doc.exe
        Source: Doc.exe, 00000000.00000002.284135859.0000000009260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Doc.exe
        Source: Doc.exe, 00000000.00000002.273691048.000000000174A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Doc.exe
        Source: Doc.exe, 00000000.00000002.286908140.0000000009990000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Doc.exe
        Source: Doc.exe, 00000000.00000002.278683853.00000000069F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Doc.exe
        Source: Doc.exe, 00000000.00000002.288923199.000000000A250000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Doc.exe
        Source: Doc.exe, 00000000.00000002.288923199.000000000A250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Doc.exe
        Source: Doc.exe, 00000000.00000002.288764211.000000000A150000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Doc.exe
        Source: Doc.exe, 00000005.00000002.270139106.000000000050E000.00000002.00020000.sdmpBinary or memory string: OriginalFilename~ vs Doc.exe
        Source: Doc.exe, 00000006.00000002.601689511.0000000003100000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Doc.exe
        Source: Doc.exe, 00000006.00000002.599703588.0000000000E4E000.00000002.00020000.sdmpBinary or memory string: OriginalFilename~ vs Doc.exe
        Source: Doc.exeBinary or memory string: OriginalFilename vs Doc.exe
        Source: Doc.exe, 0000000D.00000002.336887567.0000000007050000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Doc.exe
        Source: Doc.exe, 0000000D.00000000.282841557.0000000000F2E000.00000002.00020000.sdmpBinary or memory string: OriginalFilename~ vs Doc.exe
        Source: Doc.exe, 0000000D.00000002.337880178.0000000007AF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Doc.exe
        Source: Doc.exe, 0000000D.00000002.337786520.0000000007870000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Doc.exe
        Source: Doc.exe, 0000000D.00000002.337786520.0000000007870000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Doc.exe
        Source: Doc.exe, 0000000D.00000002.336155358.0000000006E80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Doc.exe
        Source: Doc.exe, 0000000D.00000002.335976902.0000000006E20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Doc.exe
        Source: Doc.exe, 00000016.00000002.339689171.0000000004F60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Doc.exe
        Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Doc.exe
        Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs Doc.exe
        Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Doc.exe
        Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Doc.exe
        Source: Doc.exe, 00000016.00000000.319457326.000000000072E000.00000002.00020000.sdmpBinary or memory string: OriginalFilename~ vs Doc.exe
        Source: Doc.exeBinary or memory string: OriginalFilename~ vs Doc.exe
        Source: Doc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Doc.exe PID: 1460, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Doc.exe PID: 3848, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Doc.exe PID: 6524, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Doc.exeStatic PE information: Section: 2)-Lp$ ZLIB complexity 1.00031404414
        Source: dEkaSoUjP.exe.0.drStatic PE information: Section: 2)-Lp$ ZLIB complexity 1.00031404414
        Source: dhcpmon.exe.6.drStatic PE information: Section: 2)-Lp$ ZLIB complexity 1.00031404414
        Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@27/12@5/3
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_016CA592 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_016CA55B AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_031113F6 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_031113BF AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_0170A592 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 13_2_0170A55B AdjustTokenPrivileges,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00F0A592 AdjustTokenPrivileges,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00F0A55B AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Doc.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\Doc.exeFile created: C:\Users\user\AppData\Roaming\dEkaSoUjP.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_01
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\klWoWNDQjWHCoOgJjdNoeVBUO
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_01
        Source: C:\Users\user\Desktop\Doc.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
        Source: C:\Users\user\Desktop\Doc.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f54d19ad-33bd-4372-9241-49940a512cfd}
        Source: C:\Users\user\Desktop\Doc.exeFile created: C:\Users\user\AppData\Local\Temp\tmp58A2.tmpJump to behavior
        Source: C:\Users\user\Desktop\Doc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Doc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\Doc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\Doc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Doc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\Doc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\Doc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Doc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\Doc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\Doc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Doc.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\Doc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Doc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: INSERT INTO [dbo].[MANUF_ORDER] ([ORDER_ID], [EMPLOYEE_ID], [CAR_ID], [MANUFACTURER_ID], [ORDER_DATE], [BILL]) VALUES (@ORDER_ID, @EMPLOYEE_ID, @CAR_ID, @MANUFACTURER_ID, @ORDER_DATE, @BILL);
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: UPDATE [dbo].[EMPLOYEE] SET [EMPLOYEE_ID] = @EMPLOYEE_ID, [EMPLOYEE_NAME] = @EMPLOYEE_NAME, [EMPLOYEE_PASSWORD] = @EMPLOYEE_PASSWORD, [EMPLOYEE_CONTACT] = @EMPLOYEE_CONTACT, [EMPLOYEE_ADDRESS] = @EMPLOYEE_ADDRESS, [EMPLOYEE_EMAIL] = @EMPLOYEE_EMAIL, [EMPLOYEE_DESIGNATION] = @EMPLOYEE_DESIGNATION WHERE (([EMPLOYEE_ID] = @Original_EMPLOYEE_ID) AND ([EMPLOYEE_NAME] = @Original_EMPLOYEE_NAME) AND ([EMPLOYEE_PASSWORD] = @Original_EMPLOYEE_PASSWORD) AND ([EMPLOYEE_CONTACT] = @Original_EMPLOYEE_CONTACT) AND ([EMPLOYEE_ADDRESS] = @Original_EMPLOYEE_ADDRESS) AND ([EMPLOYEE_EMAIL] = @Original_EMPLOYEE_EMAIL) AND ([EMPLOYEE_DESIGNATION] = @Original_EMPLOYEE_DESIGNATION));
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: INSERT INTO [dbo].[EMPLOYEE] ([EMPLOYEE_ID], [EMPLOYEE_NAME], [EMPLOYEE_PASSWORD], [EMPLOYEE_CONTACT], [EMPLOYEE_ADDRESS], [EMPLOYEE_EMAIL], [EMPLOYEE_DESIGNATION]) VALUES (@EMPLOYEE_ID, @EMPLOYEE_NAME, @EMPLOYEE_PASSWORD, @EMPLOYEE_CONTACT, @EMPLOYEE_ADDRESS, @EMPLOYEE_EMAIL, @EMPLOYEE_DESIGNATION);
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: UPDATE [dbo].[Car] SET [CAR_ID] = @CAR_ID, [CAR_NAME] = @CAR_NAME, [CAR_MODEL] = @CAR_MODEL, [CAR_COMPANY] = @CAR_COMPANY, [CAR_STATUS] = @CAR_STATUS, [CAR_PRICE] = @CAR_PRICE WHERE (([CAR_ID] = @Original_CAR_ID) AND ([CAR_NAME] = @Original_CAR_NAME) AND ([CAR_MODEL] = @Original_CAR_MODEL) AND ([CAR_COMPANY] = @Original_CAR_COMPANY) AND ([CAR_STATUS] = @Original_CAR_STATUS) AND ([CAR_PRICE] = @Original_CAR_PRICE));
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: INSERT INTO [dbo].[MANUFACTURER] ([MANUFACTURER_ID], [MANUFACTURER_NAME], [MANUFACTURER_EMAIL], [MANUFACTURER_ADDRESS], [MANUFACTURER_CONTACT]) VALUES (@MANUFACTURER_ID, @MANUFACTURER_NAME, @MANUFACTURER_EMAIL, @MANUFACTURER_ADDRESS, @MANUFACTURER_CONTACT);
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: INSERT INTO [dbo].[Car] ([CAR_ID], [CAR_NAME], [CAR_MODEL], [CAR_COMPANY], [CAR_STATUS], [CAR_PRICE]) VALUES (@CAR_ID, @CAR_NAME, @CAR_MODEL, @CAR_COMPANY, @CAR_STATUS, @CAR_PRICE);
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: UPDATE [dbo].[CUSTOMER_ORDER] SET [ORDER_ID] = @ORDER_ID, [EMPLOYEE_ID] = @EMPLOYEE_ID, [CAR_ID] = @CAR_ID, [CUSTOMER_CNIC] = @CUSTOMER_CNIC, [ORDER_DATE] = @ORDER_DATE, [BILL] = @BILL WHERE (([ORDER_ID] = @Original_ORDER_ID) AND ((@IsNull_EMPLOYEE_ID = 1 AND [EMPLOYEE_ID] IS NULL) OR ([EMPLOYEE_ID] = @Original_EMPLOYEE_ID)) AND ((@IsNull_CAR_ID = 1 AND [CAR_ID] IS NULL) OR ([CAR_ID] = @Original_CAR_ID)) AND ((@IsNull_CUSTOMER_CNIC = 1 AND [CUSTOMER_CNIC] IS NULL) OR ([CUSTOMER_CNIC] = @Original_CUSTOMER_CNIC)) AND ([ORDER_DATE] = @Original_ORDER_DATE) AND ([BILL] = @Original_BILL));
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: INSERT INTO [dbo].[CUSTOMER] ([CUSTOMER_CNIC], [CUSTOMER_NAME], [CUSTOMER_CONTACT], [CUSTOMER_ADDRESS]) VALUES (@CUSTOMER_CNIC, @CUSTOMER_NAME, @CUSTOMER_CONTACT, @CUSTOMER_ADDRESS);
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: UPDATE [dbo].[CUSTOMER] SET [CUSTOMER_CNIC] = @CUSTOMER_CNIC, [CUSTOMER_NAME] = @CUSTOMER_NAME, [CUSTOMER_CONTACT] = @CUSTOMER_CONTACT, [CUSTOMER_ADDRESS] = @CUSTOMER_ADDRESS WHERE (([CUSTOMER_CNIC] = @Original_CUSTOMER_CNIC) AND ([CUSTOMER_NAME] = @Original_CUSTOMER_NAME) AND ([CUSTOMER_CONTACT] = @Original_CUSTOMER_CONTACT) AND ([CUSTOMER_ADDRESS] = @Original_CUSTOMER_ADDRESS));
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: INSERT INTO [dbo].[CUSTOMER_ORDER] ([ORDER_ID], [EMPLOYEE_ID], [CAR_ID], [CUSTOMER_CNIC], [ORDER_DATE], [BILL]) VALUES (@ORDER_ID, @EMPLOYEE_ID, @CAR_ID, @CUSTOMER_CNIC, @ORDER_DATE, @BILL);
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: UPDATE [dbo].[MANUF_ORDER] SET [ORDER_ID] = @ORDER_ID, [EMPLOYEE_ID] = @EMPLOYEE_ID, [CAR_ID] = @CAR_ID, [MANUFACTURER_ID] = @MANUFACTURER_ID, [ORDER_DATE] = @ORDER_DATE, [BILL] = @BILL WHERE (([ORDER_ID] = @Original_ORDER_ID) AND ((@IsNull_EMPLOYEE_ID = 1 AND [EMPLOYEE_ID] IS NULL) OR ([EMPLOYEE_ID] = @Original_EMPLOYEE_ID)) AND ((@IsNull_CAR_ID = 1 AND [CAR_ID] IS NULL) OR ([CAR_ID] = @Original_CAR_ID)) AND ((@IsNull_MANUFACTURER_ID = 1 AND [MANUFACTURER_ID] IS NULL) OR ([MANUFACTURER_ID] = @Original_MANUFACTURER_ID)) AND ([ORDER_DATE] = @Original_ORDER_DATE) AND ([BILL] = @Original_BILL));
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.326164483.0000000003611000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.323222356.0000000002D41000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpBinary or memory string: UPDATE [dbo].[MANUFACTURER] SET [MANUFACTURER_ID] = @MANUFACTURER_ID, [MANUFACTURER_NAME] = @MANUFACTURER_NAME, [MANUFACTURER_EMAIL] = @MANUFACTURER_EMAIL, [MANUFACTURER_ADDRESS] = @MANUFACTURER_ADDRESS, [MANUFACTURER_CONTACT] = @MANUFACTURER_CONTACT WHERE (([MANUFACTURER_ID] = @Original_MANUFACTURER_ID) AND ([MANUFACTURER_NAME] = @Original_MANUFACTURER_NAME) AND ([MANUFACTURER_EMAIL] = @Original_MANUFACTURER_EMAIL) AND ([MANUFACTURER_ADDRESS] = @Original_MANUFACTURER_ADDRESS) AND ([MANUFACTURER_CONTACT] = @Original_MANUFACTURER_CONTACT));
        Source: Doc.exeVirustotal: Detection: 33%
        Source: Doc.exeReversingLabs: Detection: 39%
        Source: C:\Users\user\Desktop\Doc.exeFile read: C:\Users\user\Desktop\Doc.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Doc.exe 'C:\Users\user\Desktop\Doc.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Doc.exe {path}
        Source: unknownProcess created: C:\Users\user\Desktop\Doc.exe {path}
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD558.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD876.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Doc.exe C:\Users\user\Desktop\Doc.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpB420.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Doc.exe {path}
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD04.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Users\user\Desktop\Doc.exe {path}
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Users\user\Desktop\Doc.exe {path}
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD558.tmp'
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD876.tmp'
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpB420.tmp'
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Users\user\Desktop\Doc.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD04.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\Doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\Doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: Doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Doc.exeStatic file information: File size 1530880 > 1048576
        Source: C:\Users\user\Desktop\Doc.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: Doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp
        Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Doc.exe, 00000006.00000002.601742047.0000000003125000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: Doc.exe, 00000000.00000002.284135859.0000000009260000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.335976902.0000000006E20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.329884797.0000000005770000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357185868.00000000078A0000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\Doc.exeUnpacked PE file: 0.2.Doc.exe.e70000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
        Source: C:\Users\user\Desktop\Doc.exeUnpacked PE file: 13.2.Doc.exe.dd0000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.4a0000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 19.2.dhcpmon.exe.680000.0.unpack 2)-Lp$:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
        .NET source code contains potential unpackerShow sources
        Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Binary contains a suspicious time stampShow sources
        Source: initial sampleStatic PE information: 0xC7A08D7A [Mon Feb 17 17:59:22 2076 UTC]
        Source: Doc.exeStatic PE information: section name: 2)-Lp$
        Source: Doc.exeStatic PE information: section name:
        Source: dEkaSoUjP.exe.0.drStatic PE information: section name: 2)-Lp$
        Source: dEkaSoUjP.exe.0.drStatic PE information: section name:
        Source: dhcpmon.exe.6.drStatic PE information: section name: 2)-Lp$
        Source: dhcpmon.exe.6.drStatic PE information: section name:
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_00EE44BC push edx; ret
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_00EE1CB1 push ecx; retf
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_00EE094D push cs; ret
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_00EE312B push ecx; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_016C2654 push ss; ret
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_016C28C8 push cs; ret
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_016C2DA9 push es; ret
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E64B0 push ecx; retf
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E33DF push edx; ret
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E7314 push eax; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 0_2_019E1A81 push ecx; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A3863 push ebp; ret
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A1867 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A18DD push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A18EE push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A18B3 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A1946 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A1747 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A1756 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A1766 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A1705 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A1937 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A1797 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 5_2_004A17A6 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_00DE18DD push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_00DE18EE push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_00DE18B3 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_00DE1867 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_00DE3863 push ebp; ret
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_00DE1797 push es; iretd
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_00DE17A6 push es; iretd
        Source: initial sampleStatic PE information: section name: 2)-Lp$ entropy: 7.99982367826
        Source: initial sampleStatic PE information: section name: 2)-Lp$ entropy: 7.99982367826
        Source: initial sampleStatic PE information: section name: 2)-Lp$ entropy: 7.99982367826
        Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 6.2.Doc.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 22.2.Doc.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 28.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\Doc.exeFile created: C:\Users\user\AppData\Roaming\dEkaSoUjP.exeJump to dropped file
        Source: C:\Users\user\Desktop\Doc.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Doc.exeFile opened: C:\Users\user\Desktop\Doc.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 0000000D.00000002.326488687.0000000003667000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.350701608.00000000030AC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6328, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3720, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 1112, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1(R
        Source: Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1(R.:
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\Doc.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Doc.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Doc.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Doc.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Doc.exeWindow / User API: threadDelayed 718
        Source: C:\Users\user\Desktop\Doc.exeWindow / User API: foregroundWindowGot 1164
        Source: C:\Users\user\Desktop\Doc.exeWindow / User API: foregroundWindowGot 393
        Source: C:\Users\user\Desktop\Doc.exe TID: 6064Thread sleep time: -31500s >= -30000s
        Source: C:\Users\user\Desktop\Doc.exe TID: 4576Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Doc.exe TID: 3552Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Doc.exe TID: 3888Thread sleep time: -280000s >= -30000s
        Source: C:\Users\user\Desktop\Doc.exe TID: 1100Thread sleep time: -31500s >= -30000s
        Source: C:\Users\user\Desktop\Doc.exe TID: 1496Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1036Thread sleep time: -31500s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6176Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6332Thread sleep time: -31500s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6404Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Doc.exe TID: 6576Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7032Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_0311161A GetSystemInfo,
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: VMware|9(r
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1(r
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: vmwareX1(r
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: VMWARE|9(r
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: VMWAREX1(r48
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: (r#"SOFTWARE\VMware, Inc.\VMware ToolsX1(rQ8
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: VMware |9(r
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: (r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1(r
        Source: dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: Doc.exe, 00000000.00000002.275014667.0000000003754000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.329022220.0000000003A3D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.325786872.000000000316E000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.352582939.0000000003482000.00000004.00000001.sdmpBinary or memory string: QEMUX1(r%:
        Source: C:\Users\user\Desktop\Doc.exeProcess information queried: ProcessInformation

        Anti Debugging:

        barindex
        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00F0A172 CheckRemoteDebuggerPresent,
        Source: C:\Users\user\Desktop\Doc.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\Doc.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\Doc.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\Doc.exeProcess queried: DebugPort
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess queried: DebugPort
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess queried: DebugPort
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess queried: DebugPort
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\Doc.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Doc.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Doc.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Doc.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Doc.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Doc.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\Doc.exeMemory written: C:\Users\user\Desktop\Doc.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\Doc.exeMemory written: C:\Users\user\Desktop\Doc.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Users\user\Desktop\Doc.exe {path}
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Users\user\Desktop\Doc.exe {path}
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD558.tmp'
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD876.tmp'
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpB420.tmp'
        Source: C:\Users\user\Desktop\Doc.exeProcess created: C:\Users\user\Desktop\Doc.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD04.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
        Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
        Source: Doc.exe, 00000006.00000002.601462279.0000000001C20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
        Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Doc.exe, 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Doc.exe, 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: Doc.exe, 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 1460, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 3848, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc.exe PID: 6524, type: MEMORY
        Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Doc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_03112DE6 bind,
        Source: C:\Users\user\Desktop\Doc.exeCode function: 6_2_03112DA5 bind,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Masquerading2Input Capture21Security Software Discovery321Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Virtualization/Sandbox Evasion4LSASS MemoryVirtualization/Sandbox Evasion4Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing23/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Timestomp1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341408 Sample: Doc.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 63 innocentbooii.hopto.org 2->63 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 18 other signatures 2->77 9 Doc.exe 6 2->9         started        13 dhcpmon.exe 4 2->13         started        16 Doc.exe 4 2->16         started        18 dhcpmon.exe 3 2->18         started        signatures3 process4 dnsIp5 57 C:\Users\user\AppData\Roaming\dEkaSoUjP.exe, PE32 9->57 dropped 59 C:\Users\user\AppData\Local\...\tmp58A2.tmp, XML 9->59 dropped 61 C:\Users\user\AppData\Local\...\Doc.exe.log, ASCII 9->61 dropped 83 Detected unpacking (changes PE section rights) 9->83 85 Injects a PE file into a foreign processes 9->85 20 Doc.exe 1 14 9->20         started        25 schtasks.exe 1 9->25         started        27 Doc.exe 9->27         started        69 192.168.2.1 unknown unknown 13->69 29 schtasks.exe 13->29         started        31 dhcpmon.exe 13->31         started        33 schtasks.exe 16->33         started        35 Doc.exe 16->35         started        file6 signatures7 process8 dnsIp9 65 innocentbooii.hopto.org 154.120.95.234, 55420 SpectranetNG Nigeria 20->65 67 172.111.249.15, 55420 AS45671-NET-AUWholesaleServicesProviderAU United States 20->67 51 C:\Program Files (x86)\...\dhcpmon.exe, PE32 20->51 dropped 53 C:\Users\user\AppData\Roaming\...\run.dat, data 20->53 dropped 55 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 20->55 dropped 79 Protects its processes via BreakOnTermination flag 20->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->81 37 schtasks.exe 1 20->37         started        39 schtasks.exe 1 20->39         started        41 conhost.exe 25->41         started        43 conhost.exe 29->43         started        45 conhost.exe 33->45         started        file10 signatures11 process12 process13 47 conhost.exe 37->47         started        49 conhost.exe 39->49         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Doc.exe33%VirustotalBrowse
        Doc.exe39%ReversingLabsByteCode-MSIL.Trojan.Tnega
        Doc.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\dEkaSoUjP.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe39%ReversingLabsByteCode-MSIL.Trojan.Tnega
        C:\Users\user\AppData\Roaming\dEkaSoUjP.exe39%ReversingLabsByteCode-MSIL.Trojan.Tnega

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        6.2.Doc.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        19.2.dhcpmon.exe.680000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        28.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        22.2.Doc.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        15.2.dhcpmon.exe.4a0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        13.2.Doc.exe.dd0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        0.2.Doc.exe.e70000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        innocentbooii.hopto.org10%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://www.fontbureau.comI.TTF0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/H0%Avira URL Cloudsafe
        http://www.founder.com.cn/cnX0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/60%Avira URL Cloudsafe
        http://www.fontbureau.comrz0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.fontbureau.comoA0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.fontbureau.comB.TTFe0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/60%Avira URL Cloudsafe
        http://www.carterandcone.com70%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/n-u0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/l0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.carterandcone.comei0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/S0%Avira URL Cloudsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/$0%Avira URL Cloudsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.carterandcone.como.0%URL Reputationsafe
        http://www.carterandcone.como.0%URL Reputationsafe
        http://www.carterandcone.como.0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.fontbureau.comoitul0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.carterandcone.com_0%Avira URL Cloudsafe
        http://www.carterandcone.come0%URL Reputationsafe
        http://www.carterandcone.come0%URL Reputationsafe
        http://www.carterandcone.come0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/S0%Avira URL Cloudsafe
        http://www.carterandcone.coms0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/A0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.zhongyicts.com.cne0%Avira URL Cloudsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://en.w0%URL Reputationsafe
        http://en.w0%URL Reputationsafe
        http://en.w0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.zhongyicts.com.cnk0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/k-s0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/w0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        innocentbooii.hopto.org
        		154.120.95.234
        		truetrueunknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersGDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.comI.TTFDoc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.fontbureau.com/designers/?Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bTheDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
              		high
              http://www.jiyu-kobo.co.jp/jp/HDoc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.founder.com.cn/cnXDoc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.tiro.comdhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designersdhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                		high
                http://www.goodfont.co.krDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comDoc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/jp/6Doc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.comrzDoc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.sajatypeworks.comDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.typography.netDDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comoADoc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.founder.com.cn/cn/cTheDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 00000000.00000003.251014283.00000000080E6000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://fontfabrik.comDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comB.TTFeDoc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/6Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.com7Doc.exe, 00000000.00000003.245285187.00000000080E1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/0Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/n-uDoc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/jp/lDoc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/DPleaseDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comeiDoc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fonts.comDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                  		high
                  http://www.sandoll.co.krDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/jp/SDoc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.urwpp.deDPleaseDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/$Doc.exe, 00000000.00000003.246980374.00000000080DB000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zhongyicts.com.cnDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.como.Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.sakkal.comDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.comoitulDoc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                      		high
                      http://www.galapagosdesign.com/Doc.exe, 00000000.00000003.251014283.00000000080E6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.com_Doc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.carterandcone.comeDoc.exe, 00000000.00000003.245285187.00000000080E1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/SDoc.exe, 00000000.00000003.246301474.00000000080D4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comsDoc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/ADoc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/Doc.exe, 00000000.00000003.246853689.00000000080DC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comaDoc.exe, 00000000.00000003.272311376.00000000080DC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cneDoc.exe, 00000000.00000003.245099691.00000000080E0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comdDoc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://en.wDoc.exe, 00000000.00000003.245606571.00000000080E5000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnkDoc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.founder.com.cn/cn/Doc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/k-sDoc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/wDoc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cnDoc.exe, 00000000.00000003.244615811.00000000080E1000.00000004.00000001.sdmp, Doc.exe, 00000000.00000003.244042748.00000000080E0000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cn_Doc.exe, 00000000.00000003.245099691.00000000080E0000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designers/frere-jones.htmlDoc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                          		high
                          http://www.carterandcone.comyDoc.exe, 00000000.00000003.245346506.00000000080E1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.commDoc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Doc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/lDoc.exe, 00000000.00000003.246461974.00000000080D7000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8Doc.exe, 00000000.00000002.282380576.0000000008250000.00000002.00000001.sdmp, Doc.exe, 0000000D.00000002.333252045.0000000005D20000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.331234081.0000000005F40000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.357623628.0000000007B20000.00000002.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/i-fDoc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.comalsDoc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn&Doc.exe, 00000000.00000003.244057616.00000000080E6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.comitudDoc.exe, 00000000.00000003.250034531.00000000080E5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/CSMDataSet.xsddhcpmon.exe, 00000013.00000002.350486647.0000000003024000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Y0ldZDoc.exe, 00000000.00000003.246604071.00000000080E5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            172.111.249.15
                            		unknownUnited States
                            		45671AS45671-NET-AUWholesaleServicesProviderAUtrue
                            154.120.95.234
                            		unknownNigeria
                            		37340SpectranetNGtrue

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:31.0.0 Red Diamond
                            Analysis ID:341408
                            Start date:19.01.2021
                            Start time:10:22:14
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 14m 2s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:Doc.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:40
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@27/12@5/3
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 5.1% (good quality ratio 2.8%)
                            • Quality average: 39.3%
                            • Quality standard deviation: 39.3%
                            HCA Information:
                            • Successful, ratio: 89%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 104.43.139.144, 92.122.144.200, 40.88.32.150, 51.103.5.159, 51.11.168.160, 92.122.213.194, 92.122.213.247, 20.54.26.129, 52.254.96.93
                            • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, bn2eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, emea1.notify.windows.com.akadns.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, par02p.wns.notify.trafficmanager.net
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            10:23:16API Interceptor1148x Sleep call for process: Doc.exe modified
                            10:23:28Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Doc.exe" s>$(Arg0)
                            10:23:30Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                            10:23:30AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            10:23:43API Interceptor3x Sleep call for process: dhcpmon.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            172.111.249.15Scan002.exe.exeGet hashmaliciousBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              innocentbooii.hopto.orgScan002.exe.exeGet hashmaliciousBrowse
                              • 172.111.249.15
                              File.exeGet hashmaliciousBrowse
                              • 194.5.98.108
                              SWB copy.exeGet hashmaliciousBrowse
                              • 194.5.98.108
                              0LGpT3WYf1.exeGet hashmaliciousBrowse
                              • 154.120.96.115

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              AS45671-NET-AUWholesaleServicesProviderAUScan002.exe.exeGet hashmaliciousBrowse
                              • 172.111.249.15
                              http://s3-eu-west-1.amazonaws.com/hjdpjni/ogbim#qs=r-acacaeeikdgeadkieeefjaehbihabababaefahcaccajbiackdcagfkbkacbGet hashmaliciousBrowse
                              • 203.26.196.25
                              Check.vbsGet hashmaliciousBrowse
                              • 27.50.75.62
                              ano.exeGet hashmaliciousBrowse
                              • 27.50.80.18
                              jbs.exeGet hashmaliciousBrowse
                              • 221.121.151.3
                              https://noosahealth.com/vnotice/w9k6dnqb128gjgj9oklfih2f.php?MTYwMTU2MDcyMGYwN2NlMDllN2Q1NTNlNWU1ODcwZGM1N2RhOWQ1ZWFkNDNiZTIxZTUxNGRkYjQ0MzNmNDNlNTRlNDgzMzI1YzM5NGZhODY4ZA==&data=a2lhbWV0dGlAY29leHBhbi5jb20=Get hashmaliciousBrowse
                              • 103.13.103.135
                              https://rgmgalaxy.com/cgi/?email=cgarcia@dataxu.comGet hashmaliciousBrowse
                              • 180.92.196.41
                              https://bnet.alpha-fem.com/rt/dmZpYWxsb3NAYmFjZmxvcmlkYS5jb20=Get hashmaliciousBrowse
                              • 45.74.14.19
                              ali.exeGet hashmaliciousBrowse
                              • 27.50.80.18
                              CZP44EvQFN.docGet hashmaliciousBrowse
                              • 118.127.60.139
                              svPo783mk8.docGet hashmaliciousBrowse
                              • 118.127.60.139
                              9NLNYxPRWg.docGet hashmaliciousBrowse
                              • 118.127.60.139
                              gN7CiLPI2w.docGet hashmaliciousBrowse
                              • 118.127.60.139
                              b8X9P4f011.docGet hashmaliciousBrowse
                              • 118.127.60.139
                              lRxIRaWSZK.docGet hashmaliciousBrowse
                              • 118.127.60.139
                              T08KQuKIgs.docGet hashmaliciousBrowse
                              • 118.127.60.139
                              GhM6Zmi4U1.docGet hashmaliciousBrowse
                              • 118.127.60.139
                              mhaoMky8ES.docGet hashmaliciousBrowse
                              • 118.127.60.139
                              LApPQ8KJHO.docGet hashmaliciousBrowse
                              • 118.127.60.139
                              Sv5mt8dv9I.docGet hashmaliciousBrowse
                              • 118.127.60.139
                              SpectranetNG0712020.exeGet hashmaliciousBrowse
                              • 41.217.69.179
                              49221o3F5N.exeGet hashmaliciousBrowse
                              • 41.217.64.43
                              0LGpT3WYf1.exeGet hashmaliciousBrowse
                              • 154.120.96.115
                              PURCHASE ORDER TOUSE IMPORT& EXPORT CO. ,LTD.ZIP FILE.exeGet hashmaliciousBrowse
                              • 41.217.62.17
                              INV9938884.exeGet hashmaliciousBrowse
                              • 154.118.49.103
                              bedrapes.exeGet hashmaliciousBrowse
                              • 154.118.68.3
                              5Shipment 09252018 - Ship REPORT WEEK 37.exeGet hashmaliciousBrowse
                              • 197.242.116.57
                              7Statement of account.exeGet hashmaliciousBrowse
                              • 154.118.3.123
                              26SHIPMENT PASSED-Draft BL, Packing list.exeGet hashmaliciousBrowse
                              • 197.242.99.110
                              Property Enquiry Ref-00255487453342065334.exeGet hashmaliciousBrowse
                              • 154.120.125.40
                              59Purchase order.exeGet hashmaliciousBrowse
                              • 197.242.119.100
                              42Invoice.exeGet hashmaliciousBrowse
                              • 154.118.11.196
                              DHL correction form.exeGet hashmaliciousBrowse
                              • 41.217.118.185
                              3Doc_EZ19029587.jsGet hashmaliciousBrowse
                              • 154.120.121.109
                              3Doc_EZ19029587.jsGet hashmaliciousBrowse
                              • 154.120.121.109

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Process:C:\Users\user\Desktop\Doc.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1530880
                              Entropy (8bit):7.361237861080968
                              Encrypted:false
                              SSDEEP:24576:uPoF365K8SDEXOkK3xtBi2H+N/ntbYZ0PNK1XtCIix:uAF3UK8UEekcxi24lDlK5g
                              MD5:C853495818DB3FDDF333CE3EAF5E6CC3
                              SHA1:51DFA28D2BF0AF44DE903FA80E4458110155F34B
                              SHA-256:799087F4F62932DBE6405946E5FC9215C9DF899909C15F0C1D876EC28E9436B0
                              SHA-512:1015EF73002C3221F8386F6E39CA2806F1662650001BE1DD8ACDAC02652D876AB2DA55E07ECF9612F6FDD39F8962A38EB07A034332A13BD39882BA71A9CC7B2C
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 39%
                              Reputation:low
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.................0......T............... ....@.. ....................................@................................. ...K......................................................................................................H...........2)-..Lp$(.... ......................@....text............................... ..`.rsrc..............................@..@.reloc...............X..............@..B.....................Z.............. ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\Doc.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview: [ZoneTransfer]....ZoneId=0
                              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Doc.exe.log
                              Process:C:\Users\user\Desktop\Doc.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):525
                              Entropy (8bit):5.2874233355119316
                              Encrypted:false
                              SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                              MD5:61CCF53571C9ABA6511D696CB0D32E45
                              SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                              SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                              SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                              Malicious:true
                              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):525
                              Entropy (8bit):5.2874233355119316
                              Encrypted:false
                              SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                              MD5:61CCF53571C9ABA6511D696CB0D32E45
                              SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                              SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                              SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                              Malicious:false
                              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                              C:\Users\user\AppData\Local\Temp\tmp58A2.tmp
                              Process:C:\Users\user\Desktop\Doc.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1646
                              Entropy (8bit):5.168874231313252
                              Encrypted:false
                              SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBW2tn:cbhC7ZlNQF/rydbz9I3YODOLNdq3QA
                              MD5:CE1BE564A3A2FC5A84B77D871C48403A
                              SHA1:72FCBAD1A719615F75EA5DB50F5E2C42C057B408
                              SHA-256:E658B7A017F5F96155CFEEFB68260E340ACA2185A4C3CB59FA5933B327C93A15
                              SHA-512:C91296EF7400A0B7597B11B1871672D3930E01B015C82E463EE47482D24D0B77272058FFA2B2ED252FAD13B087F4BC080630D8FA61628AE4E1FFBA74A73B35A7
                              Malicious:true
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                              C:\Users\user\AppData\Local\Temp\tmpB420.tmp
                              Process:C:\Users\user\Desktop\Doc.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1646
                              Entropy (8bit):5.168874231313252
                              Encrypted:false
                              SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBW2tn:cbhC7ZlNQF/rydbz9I3YODOLNdq3QA
                              MD5:CE1BE564A3A2FC5A84B77D871C48403A
                              SHA1:72FCBAD1A719615F75EA5DB50F5E2C42C057B408
                              SHA-256:E658B7A017F5F96155CFEEFB68260E340ACA2185A4C3CB59FA5933B327C93A15
                              SHA-512:C91296EF7400A0B7597B11B1871672D3930E01B015C82E463EE47482D24D0B77272058FFA2B2ED252FAD13B087F4BC080630D8FA61628AE4E1FFBA74A73B35A7
                              Malicious:false
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                              C:\Users\user\AppData\Local\Temp\tmpD558.tmp
                              Process:C:\Users\user\Desktop\Doc.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1294
                              Entropy (8bit):5.089166573730756
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0P8xtn:cbk4oL600QydbQxIYODOLedq3S8j
                              MD5:A248EE7904DBB7192DE9B87A0C445935
                              SHA1:46D3C56F28A5D6E8AE17F722D37D1F9A7E28D851
                              SHA-256:A17BEEC25E493B9B4B2534770C25F2E667F8449891066819113B6E5DB3FF68FA
                              SHA-512:5BE95F18C4089084ED90FED40D52D23F9EE8CCC73F1B273F481EDCF194F0403C5C9BFB52674EB845BFDF2724AC558C5747988872EA7926E5CD310C0EC1D6847D
                              Malicious:false
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                              C:\Users\user\AppData\Local\Temp\tmpD876.tmp
                              Process:C:\Users\user\Desktop\Doc.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):1310
                              Entropy (8bit):5.109425792877704
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                              Malicious:false
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                              C:\Users\user\AppData\Local\Temp\tmpDD04.tmp
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1646
                              Entropy (8bit):5.168874231313252
                              Encrypted:false
                              SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBW2tn:cbhC7ZlNQF/rydbz9I3YODOLNdq3QA
                              MD5:CE1BE564A3A2FC5A84B77D871C48403A
                              SHA1:72FCBAD1A719615F75EA5DB50F5E2C42C057B408
                              SHA-256:E658B7A017F5F96155CFEEFB68260E340ACA2185A4C3CB59FA5933B327C93A15
                              SHA-512:C91296EF7400A0B7597B11B1871672D3930E01B015C82E463EE47482D24D0B77272058FFA2B2ED252FAD13B087F4BC080630D8FA61628AE4E1FFBA74A73B35A7
                              Malicious:false
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                              Process:C:\Users\user\Desktop\Doc.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8
                              Entropy (8bit):3.0
                              Encrypted:false
                              SSDEEP:3:JIDt:Gx
                              MD5:0F537B5F4F20482B8B769AE429A9ACAE
                              SHA1:1BD898059B9938529CFF3208C1FE31F641C84C2C
                              SHA-256:CCFF37E420E56A6BB38FE3FFCE46C9CCA7C4FA64A4FA49F65925911D0680B693
                              SHA-512:EDD9C694501661CB79C177E3D5059B46465287282B1125C2F55956748F68ECEB0F047A858BC7DF2EBA6DDC95B1E9E368C9E68AF9ACEE2FCF2ABE92CAE810BB2B
                              Malicious:true
                              Preview: Z..P...H
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                              Process:C:\Users\user\Desktop\Doc.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):31
                              Entropy (8bit):3.962103165155795
                              Encrypted:false
                              SSDEEP:3:oNUWJRWhKk:oNNJAck
                              MD5:6DDAF09443278775838A4E5FC0A80DF6
                              SHA1:9CD9265F32A1D9636E886A0D8D178C79F7D28026
                              SHA-256:550B94662EDD56B552AE175CD834E72FDCB11F2F01EC1680797E251857F679E8
                              SHA-512:27E6F50EABC36090A45B9438780CF407D8F8E8B5E6F1351118220CD732C18526CC72D46720D13FCF21C4A6E014BFAEE2A81CA8DD20585EB336B0026027FA03E2
                              Malicious:false
                              Preview: C:\Users\user\Desktop\Doc.exe
                              C:\Users\user\AppData\Roaming\dEkaSoUjP.exe
                              Process:C:\Users\user\Desktop\Doc.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1530880
                              Entropy (8bit):7.361237861080968
                              Encrypted:false
                              SSDEEP:24576:uPoF365K8SDEXOkK3xtBi2H+N/ntbYZ0PNK1XtCIix:uAF3UK8UEekcxi24lDlK5g
                              MD5:C853495818DB3FDDF333CE3EAF5E6CC3
                              SHA1:51DFA28D2BF0AF44DE903FA80E4458110155F34B
                              SHA-256:799087F4F62932DBE6405946E5FC9215C9DF899909C15F0C1D876EC28E9436B0
                              SHA-512:1015EF73002C3221F8386F6E39CA2806F1662650001BE1DD8ACDAC02652D876AB2DA55E07ECF9612F6FDD39F8962A38EB07A034332A13BD39882BA71A9CC7B2C
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 39%
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.................0......T............... ....@.. ....................................@................................. ...K......................................................................................................H...........2)-..Lp$(.... ......................@....text............................... ..`.rsrc..............................@..@.reloc...............X..............@..B.....................Z.............. ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.361237861080968
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                              • Win32 Executable (generic) a (10002005/4) 49.96%
                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:Doc.exe
                              File size:1530880
                              MD5:c853495818db3fddf333ce3eaf5e6cc3
                              SHA1:51dfa28d2bf0af44de903fa80e4458110155f34b
                              SHA256:799087f4f62932dbe6405946e5fc9215c9df899909c15f0c1d876ec28e9436b0
                              SHA512:1015ef73002c3221f8386f6e39ca2806f1662650001be1dd8acdac02652d876ab2da55e07ecf9612f6fdd39f8962a38eb07a034332a13bd39882ba71a9cc7b2c
                              SSDEEP:24576:uPoF365K8SDEXOkK3xtBi2H+N/ntbYZ0PNK1XtCIix:uAF3UK8UEekcxi24lDlK5g
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.................0......T............... ....@.. ....................................@................................

                              File Icon

                              Icon Hash:8ae8ccccecece09a

                              Static PE Info

                              General

                              Entrypoint:0x57c00a
                              Entrypoint Section:
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0xC7A08D7A [Mon Feb 17 17:59:22 2076 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v2.0.50727
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [0057C000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xec9200x4b.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x15e0000x1b0c8.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x17a0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x17c0000x8
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0xec0000x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              2)-Lp$0x20000xe9e280xea000False1.00031404414data7.99982367826IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .text0xec0000x700180x70200False0.306355386009data4.75650322444IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0x15e0000x1b0c80x1b200False0.127538162442data3.74361062755IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x17a0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              0x17c0000x100x200False0.044921875data0.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0x15e2200x1913PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                              RT_ICON0x15fb340x10828dBase III DBT, version number 0, next free block index 40
                              RT_ICON0x17035c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
                              RT_ICON0x1745840x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295
                              RT_ICON0x176b2c0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295
                              RT_ICON0x177bd40x468GLS_BINARY_LSB_FIRST
                              RT_GROUP_ICON0x17803c0x5adata
                              RT_VERSION0x1780980x33adata
                              RT_MANIFEST0x1783d40xcefXML 1.0 document, UTF-8 Unicode (with BOM) text

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyrightCopyright 2020 ITEL
                              Assembly Version8.0.36.2
                              InternalName.exe
                              FileVersion8.0.37.2
                              CompanyNameITEL Limited
                              LegalTrademarks
                              Comments
                              ProductNameCSM Project
                              ProductVersion8.0.37.2
                              FileDescriptionCSM Project
                              OriginalFilename.exe

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 19, 2021 10:23:30.951219082 CET4971455420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:23:34.106537104 CET4971455420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:23:40.107089996 CET4971455420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:23:56.398092031 CET4972255420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:23:59.406162024 CET4972255420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:24:05.406017065 CET4972255420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:24:17.939691067 CET4973055420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:24:21.032339096 CET4973055420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:24:27.032870054 CET4973055420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:24:37.293370008 CET4973555420192.168.2.5172.111.249.15
                              Jan 19, 2021 10:24:40.299601078 CET4973555420192.168.2.5172.111.249.15
                              Jan 19, 2021 10:24:46.300118923 CET4973555420192.168.2.5172.111.249.15
                              Jan 19, 2021 10:24:55.309611082 CET4973855420192.168.2.5172.111.249.15
                              Jan 19, 2021 10:24:58.316715956 CET4973855420192.168.2.5172.111.249.15
                              Jan 19, 2021 10:25:04.317243099 CET4973855420192.168.2.5172.111.249.15
                              Jan 19, 2021 10:25:13.085031986 CET4973955420192.168.2.5172.111.249.15
                              Jan 19, 2021 10:25:16.099419117 CET4973955420192.168.2.5172.111.249.15
                              Jan 19, 2021 10:25:22.115677118 CET4973955420192.168.2.5172.111.249.15
                              Jan 19, 2021 10:25:31.900134087 CET4974055420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:25:34.897878885 CET4974055420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:25:40.898380041 CET4974055420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:25:56.120098114 CET4975155420192.168.2.5154.120.95.234
                              Jan 19, 2021 10:25:59.122292042 CET4975155420192.168.2.5154.120.95.234

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 19, 2021 10:22:59.676734924 CET4955753192.168.2.58.8.8.8
                              Jan 19, 2021 10:22:59.724585056 CET53495578.8.8.8192.168.2.5
                              Jan 19, 2021 10:23:03.011400938 CET6173353192.168.2.58.8.8.8
                              Jan 19, 2021 10:23:03.062161922 CET53617338.8.8.8192.168.2.5
                              Jan 19, 2021 10:23:13.308800936 CET6544753192.168.2.58.8.8.8
                              Jan 19, 2021 10:23:13.366452932 CET53654478.8.8.8192.168.2.5
                              Jan 19, 2021 10:23:21.428308964 CET5244153192.168.2.58.8.8.8
                              Jan 19, 2021 10:23:21.479062080 CET53524418.8.8.8192.168.2.5
                              Jan 19, 2021 10:23:22.557158947 CET6217653192.168.2.58.8.8.8
                              Jan 19, 2021 10:23:22.615228891 CET53621768.8.8.8192.168.2.5
                              Jan 19, 2021 10:23:30.818375111 CET5959653192.168.2.58.8.8.8
                              Jan 19, 2021 10:23:30.878221989 CET53595968.8.8.8192.168.2.5
                              Jan 19, 2021 10:23:44.950850010 CET6529653192.168.2.58.8.8.8
                              Jan 19, 2021 10:23:45.002350092 CET53652968.8.8.8192.168.2.5
                              Jan 19, 2021 10:23:48.195247889 CET6318353192.168.2.58.8.8.8
                              Jan 19, 2021 10:23:48.243144035 CET53631838.8.8.8192.168.2.5
                              Jan 19, 2021 10:23:48.297032118 CET6015153192.168.2.58.8.8.8
                              Jan 19, 2021 10:23:48.344970942 CET53601518.8.8.8192.168.2.5
                              Jan 19, 2021 10:23:50.084479094 CET5696953192.168.2.58.8.8.8
                              Jan 19, 2021 10:23:50.132464886 CET53569698.8.8.8192.168.2.5
                              Jan 19, 2021 10:23:56.321463108 CET5516153192.168.2.58.8.8.8
                              Jan 19, 2021 10:23:56.384004116 CET53551618.8.8.8192.168.2.5
                              Jan 19, 2021 10:24:02.716928005 CET5475753192.168.2.58.8.8.8
                              Jan 19, 2021 10:24:02.764775038 CET53547578.8.8.8192.168.2.5
                              Jan 19, 2021 10:24:05.069717884 CET4999253192.168.2.58.8.8.8
                              Jan 19, 2021 10:24:05.120398045 CET53499928.8.8.8192.168.2.5
                              Jan 19, 2021 10:24:10.203083038 CET6007553192.168.2.58.8.8.8
                              Jan 19, 2021 10:24:10.263900995 CET53600758.8.8.8192.168.2.5
                              Jan 19, 2021 10:24:17.880350113 CET5501653192.168.2.58.8.8.8
                              Jan 19, 2021 10:24:17.938066959 CET53550168.8.8.8192.168.2.5
                              Jan 19, 2021 10:24:23.151571035 CET6434553192.168.2.58.8.8.8
                              Jan 19, 2021 10:24:23.199763060 CET53643458.8.8.8192.168.2.5
                              Jan 19, 2021 10:24:24.049966097 CET5712853192.168.2.58.8.8.8
                              Jan 19, 2021 10:24:24.097898006 CET53571288.8.8.8192.168.2.5
                              Jan 19, 2021 10:24:24.902646065 CET5479153192.168.2.58.8.8.8
                              Jan 19, 2021 10:24:24.950527906 CET53547918.8.8.8192.168.2.5
                              Jan 19, 2021 10:24:28.905478954 CET5046353192.168.2.58.8.8.8
                              Jan 19, 2021 10:24:28.981370926 CET53504638.8.8.8192.168.2.5
                              Jan 19, 2021 10:24:38.677479029 CET5039453192.168.2.58.8.8.8
                              Jan 19, 2021 10:24:38.726584911 CET53503948.8.8.8192.168.2.5
                              Jan 19, 2021 10:24:42.713869095 CET5853053192.168.2.58.8.8.8
                              Jan 19, 2021 10:24:42.788130999 CET53585308.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:31.837795019 CET5381353192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:31.898233891 CET53538138.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:43.870352983 CET6373253192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:43.918276072 CET53637328.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:44.765908957 CET5734453192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:44.825380087 CET53573448.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:45.759581089 CET5445053192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:45.807430029 CET53544508.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:46.522767067 CET5926153192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:46.573513031 CET53592618.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:47.303802013 CET5715153192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:47.362200022 CET53571518.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:48.205671072 CET5941353192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:48.262279034 CET53594138.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:49.114852905 CET6051653192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:49.171040058 CET53605168.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:50.212817907 CET5164953192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:50.269519091 CET53516498.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:51.512135029 CET6508653192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:51.568703890 CET53650868.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:52.286628962 CET5643253192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:52.342928886 CET53564328.8.8.8192.168.2.5
                              Jan 19, 2021 10:25:56.058824062 CET5292953192.168.2.58.8.8.8
                              Jan 19, 2021 10:25:56.118586063 CET53529298.8.8.8192.168.2.5

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Jan 19, 2021 10:23:30.818375111 CET192.168.2.58.8.8.80x7fa6Standard query (0)innocentbooii.hopto.orgA (IP address)IN (0x0001)
                              Jan 19, 2021 10:23:56.321463108 CET192.168.2.58.8.8.80xc577Standard query (0)innocentbooii.hopto.orgA (IP address)IN (0x0001)
                              Jan 19, 2021 10:24:17.880350113 CET192.168.2.58.8.8.80x5c38Standard query (0)innocentbooii.hopto.orgA (IP address)IN (0x0001)
                              Jan 19, 2021 10:25:31.837795019 CET192.168.2.58.8.8.80x1870Standard query (0)innocentbooii.hopto.orgA (IP address)IN (0x0001)
                              Jan 19, 2021 10:25:56.058824062 CET192.168.2.58.8.8.80x7845Standard query (0)innocentbooii.hopto.orgA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Jan 19, 2021 10:23:30.878221989 CET8.8.8.8192.168.2.50x7fa6No error (0)innocentbooii.hopto.org154.120.95.234A (IP address)IN (0x0001)
                              Jan 19, 2021 10:23:56.384004116 CET8.8.8.8192.168.2.50xc577No error (0)innocentbooii.hopto.org154.120.95.234A (IP address)IN (0x0001)
                              Jan 19, 2021 10:24:17.938066959 CET8.8.8.8192.168.2.50x5c38No error (0)innocentbooii.hopto.org154.120.95.234A (IP address)IN (0x0001)
                              Jan 19, 2021 10:25:31.898233891 CET8.8.8.8192.168.2.50x1870No error (0)innocentbooii.hopto.org154.120.95.234A (IP address)IN (0x0001)
                              Jan 19, 2021 10:25:56.118586063 CET8.8.8.8192.168.2.50x7845No error (0)innocentbooii.hopto.org154.120.95.234A (IP address)IN (0x0001)

                              Code Manipulations

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: Doc.exe PID: 1460 Parent PID: 5608

                              General

                              Start time:10:23:04
                              Start date:19/01/2021
                              Path:C:\Users\user\Desktop\Doc.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\Doc.exe'
                              Imagebase:0xe70000
                              File size:1530880 bytes
                              MD5 hash:C853495818DB3FDDF333CE3EAF5E6CC3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.278969734.00000000073FA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Analysis Process: schtasks.exe PID: 5744 Parent PID: 1460

                              General

                              Start time:10:23:20
                              Start date:19/01/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmp58A2.tmp'
                              Imagebase:0xbf0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 6112 Parent PID: 5744

                              General

                              Start time:10:23:21
                              Start date:19/01/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7ecfc0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: Doc.exe PID: 5784 Parent PID: 1460

                              General

                              Start time:10:23:23
                              Start date:19/01/2021
                              Path:C:\Users\user\Desktop\Doc.exe
                              Wow64 process (32bit):false
                              Commandline:{path}
                              Imagebase:0x3b0000
                              File size:1530880 bytes
                              MD5 hash:C853495818DB3FDDF333CE3EAF5E6CC3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Analysis Process: Doc.exe PID: 3848 Parent PID: 1460

                              General

                              Start time:10:23:24
                              Start date:19/01/2021
                              Path:C:\Users\user\Desktop\Doc.exe
                              Wow64 process (32bit):true
                              Commandline:{path}
                              Imagebase:0xcf0000
                              File size:1530880 bytes
                              MD5 hash:C853495818DB3FDDF333CE3EAF5E6CC3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.595250143.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Analysis Process: schtasks.exe PID: 5536 Parent PID: 3848

                              General

                              Start time:10:23:26
                              Start date:19/01/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD558.tmp'
                              Imagebase:0x7ff797770000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 5336 Parent PID: 5536

                              General

                              Start time:10:23:26
                              Start date:19/01/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7ecfc0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: schtasks.exe PID: 5316 Parent PID: 3848

                              General

                              Start time:10:23:27
                              Start date:19/01/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD876.tmp'
                              Imagebase:0xbf0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 5328 Parent PID: 5316

                              General

                              Start time:10:23:27
                              Start date:19/01/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7ecfc0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: Doc.exe PID: 1112 Parent PID: 904

                              General

                              Start time:10:23:29
                              Start date:19/01/2021
                              Path:C:\Users\user\Desktop\Doc.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\Doc.exe 0
                              Imagebase:0xdd0000
                              File size:1530880 bytes
                              MD5 hash:C853495818DB3FDDF333CE3EAF5E6CC3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.330365901.00000000047AD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000D.00000002.326488687.0000000003667000.00000004.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Analysis Process: dhcpmon.exe PID: 3720 Parent PID: 904

                              General

                              Start time:10:23:30
                              Start date:19/01/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                              Imagebase:0x4a0000
                              File size:1530880 bytes
                              MD5 hash:C853495818DB3FDDF333CE3EAF5E6CC3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.328137753.0000000003EDD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 39%, ReversingLabs
                              Reputation:low

                              Analysis Process: dhcpmon.exe PID: 6328 Parent PID: 3472

                              General

                              Start time:10:23:38
                              Start date:19/01/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                              Imagebase:0x680000
                              File size:1530880 bytes
                              MD5 hash:C853495818DB3FDDF333CE3EAF5E6CC3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000002.350701608.00000000030AC000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.355278131.0000000006CBA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Analysis Process: schtasks.exe PID: 6476 Parent PID: 1112

                              General

                              Start time:10:23:44
                              Start date:19/01/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpB420.tmp'
                              Imagebase:0xbf0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 6484 Parent PID: 6476

                              General

                              Start time:10:23:44
                              Start date:19/01/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7ecfc0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: Doc.exe PID: 6524 Parent PID: 1112

                              General

                              Start time:10:23:46
                              Start date:19/01/2021
                              Path:C:\Users\user\Desktop\Doc.exe
                              Wow64 process (32bit):true
                              Commandline:{path}
                              Imagebase:0x5d0000
                              File size:1530880 bytes
                              MD5 hash:C853495818DB3FDDF333CE3EAF5E6CC3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.339391381.0000000003D21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.335391118.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.339287751.0000000002D21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Analysis Process: schtasks.exe PID: 6848 Parent PID: 6328

                              General

                              Start time:10:23:54
                              Start date:19/01/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dEkaSoUjP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD04.tmp'
                              Imagebase:0xbf0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 6860 Parent PID: 6848

                              General

                              Start time:10:23:54
                              Start date:19/01/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7ecfc0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: dhcpmon.exe PID: 6928 Parent PID: 6328

                              General

                              Start time:10:23:55
                              Start date:19/01/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:{path}
                              Imagebase:0xd00000
                              File size:1530880 bytes
                              MD5 hash:C853495818DB3FDDF333CE3EAF5E6CC3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.364409050.0000000004561000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.361008474.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.364312350.0000000003561000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Disassembly

                              Code Analysis

                              Reset < >