Windows Analysis Report CV.exe

Overview

General Information

Sample Name: CV.exe
Analysis ID: 508724
MD5: 5d9fed85f31d020568f166e6291cbe7b
SHA1: df89b8bfedfd260e648b3a8938b47db6d2e1591c
SHA256: 9219aa9982516a8454b770461ed85217cf3adc6c2c2008b296720e3665b51e54
Tags: exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.349313749.0000000002E11000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "baa1bd16-ba50-4743-8b51-41c36ee5", "Group": "Default", "Domain1": "kamuchehddhgfgf.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.453"}
Multi AV Scanner detection for submitted file
Source: CV.exe Virustotal: Detection: 47% Perma Link
Source: CV.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for domain / URL
Source: kamuchehddhgfgf.ddns.net Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 55%
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.dhcpmon.exe.3e595fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CV.exe.478aac0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e5e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.dhcpmon.exe.3f9aac0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e62a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e5e434.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CV.exe.478aac0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.dhcpmon.exe.3f9aac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.349313749.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.337548650.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.349379459.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.348554360.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305068384.0000000004661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5300, type: MEMORYSTR
Machine Learning detection for sample
Source: CV.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: CV.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: C:\Users\user\Desktop\CV.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: CV.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49779 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49796 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49798 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49799 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49823 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49825 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49827 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49828 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49829 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49830 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49831 -> 37.0.10.22:1187
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49832 -> 37.0.10.22:1187
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: kamuchehddhgfgf.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: kamuchehddhgfgf.ddns.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WKD-ASIE WKD-ASIE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 37.0.10.22 37.0.10.22
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49742 -> 37.0.10.22:1187
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CV.exe, 00000000.00000003.292840638.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: CV.exe, 00000000.00000003.292954620.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com.128
Source: CV.exe, 00000000.00000003.293277635.0000000005A7C000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coma-eZ~
Source: CV.exe, 00000000.00000003.292954620.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comcmf
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: CV.exe, 00000000.00000003.292793078.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comnL
Source: CV.exe, 00000000.00000003.293277635.0000000005A7C000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comt
Source: CV.exe, 00000000.00000003.292662737.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comva
Source: CV.exe, 00000000.00000002.306904684.0000000007060000.00000004.00020000.sdmp, dhcpmon.exe, 00000004.00000002.340666656.0000000006A50000.00000004.00020000.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: CV.exe, 00000000.00000002.305862442.0000000005A9F000.00000004.00000001.sdmp, CV.exe, 00000000.00000003.295929510.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CV.exe, 00000000.00000003.296543987.0000000005A9F000.00000004.00000001.sdmp, CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: CV.exe, 00000000.00000003.296688420.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: CV.exe, 00000000.00000003.297122363.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comL:
Source: CV.exe, 00000000.00000002.305862442.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma#:
Source: CV.exe, 00000000.00000003.297122363.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comals
Source: CV.exe, 00000000.00000003.297752818.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcom
Source: CV.exe, 00000000.00000003.297504963.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: CV.exe, 00000000.00000003.296469812.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd#:
Source: CV.exe, 00000000.00000003.296688420.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd9
Source: CV.exe, 00000000.00000003.296688420.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdW:_L
Source: CV.exe, 00000000.00000003.296688420.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comepko
Source: CV.exe, 00000000.00000003.296924212.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comitud
Source: CV.exe, 00000000.00000003.296001995.0000000005AA1000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comldTF
Source: CV.exe, 00000000.00000003.296688420.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.commsed
Source: CV.exe, 00000000.00000003.296543987.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como
Source: CV.exe, 00000000.00000002.305862442.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comrsivo
Source: CV.exe, 00000000.00000003.296688420.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comtota
Source: CV.exe, 00000000.00000003.300410158.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comue
Source: CV.exe, 00000000.00000003.295929510.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comzana
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: CV.exe, 00000000.00000003.292056253.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: CV.exe, 00000000.00000003.292194916.0000000005A7C000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: CV.exe, 00000000.00000003.292181353.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn//
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: CV.exe, 00000000.00000003.292284353.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnRL%
Source: CV.exe, 00000000.00000003.292056253.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cne-d
Source: CV.exe, 00000000.00000003.292194916.0000000005A7C000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnl-nq
Source: CV.exe, 00000000.00000003.298290141.0000000005A9F000.00000004.00000001.sdmp, CV.exe, 00000000.00000003.298024440.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: CV.exe, 00000000.00000003.291507105.0000000005A7C000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.krm
Source: CV.exe, 00000000.00000003.291507105.0000000005A7C000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kry~
Source: CV.exe, 00000000.00000003.294520353.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CV.exe, 00000000.00000003.294933939.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: CV.exe, 00000000.00000003.294520353.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/;:
Source: CV.exe, 00000000.00000003.294520353.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/E:IL
Source: CV.exe, 00000000.00000003.295207535.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/L:
Source: CV.exe, 00000000.00000003.294709035.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/W:_L
Source: CV.exe, 00000000.00000003.294520353.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: CV.exe, 00000000.00000003.293738034.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/el-g
Source: CV.exe, 00000000.00000003.294520353.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: CV.exe, 00000000.00000003.294520353.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/W:_L
Source: CV.exe, 00000000.00000003.294520353.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: CV.exe, 00000000.00000003.296290237.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.;9
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: CV.exe, 00000000.00000003.291507105.0000000005A7C000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr3~_L
Source: CV.exe, 00000000.00000003.291507105.0000000005A7C000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr:~
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: CV.exe, 00000000.00000003.293128361.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com&=
Source: CV.exe, 00000000.00000003.293128361.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comlic
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: CV.exe, 00000000.00000003.297338037.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: CV.exe, 00000000.00000003.297307820.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de3=
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: CV.exe, 00000000.00000002.305939020.0000000006C82000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: CV.exe, 00000000.00000003.292602258.0000000005A9F000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnva
Source: unknown DNS traffic detected: queries for: kamuchehddhgfgf.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: CV.exe, 00000000.00000002.304284861.00000000016EA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: dhcpmon.exe, 00000005.00000002.349313749.0000000002E11000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.dhcpmon.exe.3e595fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CV.exe.478aac0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e5e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.dhcpmon.exe.3f9aac0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e62a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e5e434.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CV.exe.478aac0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.dhcpmon.exe.3f9aac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.349313749.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.337548650.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.349379459.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.348554360.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305068384.0000000004661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5300, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.dhcpmon.exe.3e595fe.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.dhcpmon.exe.3e595fe.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CV.exe.478aac0.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CV.exe.478aac0.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.dhcpmon.exe.3e5e434.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.dhcpmon.exe.2e33ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.dhcpmon.exe.3f9aac0.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.dhcpmon.exe.3f9aac0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.dhcpmon.exe.3e62a5d.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.dhcpmon.exe.3e5e434.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CV.exe.478aac0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CV.exe.478aac0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.dhcpmon.exe.3f9aac0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.dhcpmon.exe.3f9aac0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.349313749.0000000002E11000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.337548650.0000000003E71000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.337548650.0000000003E71000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.349379459.0000000003E11000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.348554360.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.348554360.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.305068384.0000000004661000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.305068384.0000000004661000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5300, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5300, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Uses 32bit PE files
Source: CV.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 5.2.dhcpmon.exe.3e595fe.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.dhcpmon.exe.3e595fe.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.dhcpmon.exe.3e595fe.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CV.exe.478aac0.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CV.exe.478aac0.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.CV.exe.478aac0.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.dhcpmon.exe.3e5e434.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.dhcpmon.exe.3e5e434.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.dhcpmon.exe.2e33ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.dhcpmon.exe.2e33ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.dhcpmon.exe.3f9aac0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.dhcpmon.exe.3f9aac0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.dhcpmon.exe.3f9aac0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.dhcpmon.exe.3e62a5d.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.dhcpmon.exe.3e62a5d.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.dhcpmon.exe.3e5e434.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.dhcpmon.exe.3e5e434.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CV.exe.478aac0.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CV.exe.478aac0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.dhcpmon.exe.3f9aac0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.dhcpmon.exe.3f9aac0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.349313749.0000000002E11000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.337548650.0000000003E71000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.337548650.0000000003E71000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.349379459.0000000003E11000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.348554360.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.348554360.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.305068384.0000000004661000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.305068384.0000000004661000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5300, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5300, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Detected potential crypto function
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_018E2AA0 0_2_018E2AA0
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_018E98A8 0_2_018E98A8
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_018E3768 0_2_018E3768
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_018E477E 0_2_018E477E
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_018E3778 0_2_018E3778
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_04FB2AA0 4_2_04FB2AA0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_04FB98A8 4_2_04FB98A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_04FB36A1 4_2_04FB36A1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_04FB3778 4_2_04FB3778
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_04FB477E 4_2_04FB477E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_04FB3768 4_2_04FB3768
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 5_2_04FD2FA8 5_2_04FD2FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 5_2_04FD23A0 5_2_04FD23A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 5_2_04FD3850 5_2_04FD3850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 5_2_04FD306F 5_2_04FD306F
Sample file is different than original file name gathered from version info
Source: CV.exe Binary or memory string: OriginalFilename vs CV.exe
Source: CV.exe, 00000000.00000002.306904684.0000000007060000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameTaskNode.dll4 vs CV.exe
Source: CV.exe, 00000000.00000002.307715323.0000000007240000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll< vs CV.exe
Source: CV.exe, 00000000.00000002.304284861.00000000016EA000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs CV.exe
Source: CV.exe Binary or memory string: OriginalFilenameSoapInteg.exe8 vs CV.exe
Source: CV.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CV.exe Virustotal: Detection: 47%
Source: CV.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\CV.exe File read: C:\Users\user\Desktop\CV.exe Jump to behavior
Source: CV.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\CV.exe 'C:\Users\user\Desktop\CV.exe'
Source: C:\Users\user\Desktop\CV.exe Process created: C:\Users\user\Desktop\CV.exe C:\Users\user\Desktop\CV.exe
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\CV.exe Process created: C:\Users\user\Desktop\CV.exe C:\Users\user\Desktop\CV.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\CV.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CV.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/8@19/2
Source: C:\Users\user\Desktop\CV.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: CV.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Users\user\Desktop\CV.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{baa1bd16-ba50-4743-8b51-41c36ee5d9d4}
Source: C:\Users\user\Desktop\CV.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\CV.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\CV.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\CV.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: CV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: CV.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: CV.exe, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs .Net Code: gwijuJnBlDNT8sIbNVv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.CV.exe.f50000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs .Net Code: gwijuJnBlDNT8sIbNVv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.CV.exe.f50000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs .Net Code: gwijuJnBlDNT8sIbNVv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.2.dr, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs .Net Code: gwijuJnBlDNT8sIbNVv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.CV.exe.d00000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs .Net Code: gwijuJnBlDNT8sIbNVv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.dhcpmon.exe.740000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs .Net Code: gwijuJnBlDNT8sIbNVv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.dhcpmon.exe.740000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs .Net Code: gwijuJnBlDNT8sIbNVv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.dhcpmon.exe.770000.1.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs .Net Code: gwijuJnBlDNT8sIbNVv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.dhcpmon.exe.770000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs .Net Code: gwijuJnBlDNT8sIbNVv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_00F5A2B7 push es; retf 0_2_00F5A338
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_015F2B5D push eax; ret 0_2_015F2B5E
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_015F2A48 push ecx; ret 0_2_015F2A4A
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_015F2E1C push eax; ret 0_2_015F2E2A
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_015F2D11 push eax; ret 0_2_015F2D12
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_015F2A01 push edi; ret 0_2_015F2A02
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_015F2E3C push eax; ret 0_2_015F2E42
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_015F2995 push edi; ret 0_2_015F2996
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_015F2E89 push edi; ret 0_2_015F2E8A
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_015F2CBC push eax; ret 0_2_015F2CBE
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_01607276 push ebp; ret 0_2_016073B5
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_016072F6 push ebp; ret 0_2_016073B5
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_018E7FEC pushfd ; iretd 0_2_018E7FF2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_0074A2B7 push es; retf 4_2_0074A338
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00FE2CBC push eax; ret 4_2_00FE2CBE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00FE2E89 push edi; ret 4_2_00FE2E8A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00FE2A48 push ecx; ret 4_2_00FE2A4A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00FE2E3C push eax; ret 4_2_00FE2E42
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00FE2E1C push eax; ret 4_2_00FE2E2A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00FE2A01 push edi; ret 4_2_00FE2A02
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00FE2995 push edi; ret 4_2_00FE2996
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00FE2B5D push eax; ret 4_2_00FE2B5E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00FE2D11 push eax; ret 4_2_00FE2D12
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00FF7324 push ebp; ret 4_2_00FF73B5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_04FB7FEC pushfd ; iretd 4_2_04FB7FF2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 5_2_0077A2B7 push es; retf 5_2_0077A338
Source: initial sample Static PE information: section name: .text entropy: 7.82329709284
Source: initial sample Static PE information: section name: .text entropy: 7.82329709284
Source: CV.exe, U0GjgnuvPsJiWrBfdd/MwQiV9lNrqbX6gLeoM.cs High entropy of concatenated method names: 'giBAHmpOI', 'eixCfSdgg', 'Hu7ccixbJ', 'F8VyeymWy', 'MhYTifPTu', 'ttAFgIyRt', 'iQbVN2RNq', 'iejXRitWZ', 'XD26EtWqg', '.ctor'
Source: CV.exe, GQ9WpnkMxs0KqDlR2p/hrvUB6q5ehponiZHtm.cs High entropy of concatenated method names: 'M17iAmQZ1V', 'j1WicCThhc', 'Kb3iTBHgep', 'XcdiVebSVE', 'MUmi6I4X8E', 'cJDiK0k8Yi', 'N9mik5naKE', 'ooAibx7mwa', 'y5siH3cVsD', '.ctor'
Source: CV.exe, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs High entropy of concatenated method names: '.ctor', 'LRciz3RqpG', 'IQntdU0WOy', 'Dispose', 'JDvtisw55s', 'VMLttCxOni', 'M6fLCIbs97jpZ6LrdCK', 'dgRbUAb7rviXDimUBM1', 'OlXjaJbvJXNXKUSnH4y', 'bT0rYVbid7xUJw9U33E'
Source: CV.exe, vcv4gTirOXWUkhhGZm/fYdeSiOhGUYAVaiNf9.cs High entropy of concatenated method names: 'yktEoc6Ya', 'vp8GK43Tk', '.ctor', 'pi5jGds9i', 'MIp8JqFYj', 'WorR2O6aV', 'fFsN5mp8Q', 'O25QpMydK', 'JmanyLpuf', 'EvoetO72G'
Source: CV.exe, EVbGiUaRXQ4q1l90m3/d2W5DtpYMHJygNb8sb.cs High entropy of concatenated method names: 'xXGLROtEm', 'Ho2OkMFJ5', 'Rn7YDwpDI', 'FQ2hhR32S', '.ctor', 'TenbtQVjV', 'GJdH1Evjd', 'p0j1eMo6A', 'arxWNXpJhl', 'x4suC6YPS'
Source: CV.exe, JQbqyjgMb1J9JIpJyU/XmgRAB8YhhVrmAJ6e1.cs High entropy of concatenated method names: 'QVHtOtpxWt', 'IjYtUAIfW3', 'dg6thZoKcT', 'Pgbt4CDBeI', 'ctmt32W6j4', 'PwktgiAtIE', 'MSIt7BQ8dp', '.ctor', 'wHYWQG4A9C', 'XyQtH8GZL3'
Source: CV.exe, zbO3yM9XlRkXc1UhgG/AstOoPcs4y7n999nUR.cs High entropy of concatenated method names: 'Q81ijORQV0', 'mrEi8j5gIO', 'oWSiNCQ0OB', 'CAZiQ4fUdW', '.ctor', 'LcqWnjPeaR', 'ToString', 'LxyiGEF3N3', 'M2je8SbS0mSg54i8xWw', 'u4rNc0b68lNTiTSpRZW'
Source: CV.exe, J17pUYxA9GWZaQcuSR/a64q056RtKseix88WN.cs High entropy of concatenated method names: 'arxiXpJhl', 'HTxVrK5kMmDmJUOZdp', 'FlaVtKk3jkCs0QrrHO', 'h6QvH19VxAW3lH63Fs', 'egFcgTyP4p9ScIm9Om', 'ep0wcc1wwFEBomZ9Ir', 'ji8kXxI03MCuXIyq4G', 'jNB6fXu3bLsbIjkBNr'
Source: CV.exe, f6QAEQbHVikhcusZIE/HbdsvqV4QrR2Zn1T7w.cs High entropy of concatenated method names: 'DnMWKmdpDu', 'a3VWP3DBHf', 'aFSWDshvec', 'haPWbRSHhe', '.ctor', 'ttAWsgIyRt', 'HXgdpsnvRLiqam5ZlhJ', 'G1kZYonsMH5qr0RLhC7', 'K3EI4LniTKoHXiZcPvE', 'OQ4plNnqKOHpGiLTKtf'
Source: 0.0.CV.exe.f50000.0.unpack, U0GjgnuvPsJiWrBfdd/MwQiV9lNrqbX6gLeoM.cs High entropy of concatenated method names: 'giBAHmpOI', 'eixCfSdgg', 'Hu7ccixbJ', 'F8VyeymWy', 'MhYTifPTu', 'ttAFgIyRt', 'iQbVN2RNq', 'iejXRitWZ', 'XD26EtWqg', '.ctor'
Source: 0.0.CV.exe.f50000.0.unpack, GQ9WpnkMxs0KqDlR2p/hrvUB6q5ehponiZHtm.cs High entropy of concatenated method names: 'M17iAmQZ1V', 'j1WicCThhc', 'Kb3iTBHgep', 'XcdiVebSVE', 'MUmi6I4X8E', 'cJDiK0k8Yi', 'N9mik5naKE', 'ooAibx7mwa', 'y5siH3cVsD', '.ctor'
Source: 0.0.CV.exe.f50000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs High entropy of concatenated method names: '.ctor', 'LRciz3RqpG', 'IQntdU0WOy', 'Dispose', 'JDvtisw55s', 'VMLttCxOni', 'M6fLCIbs97jpZ6LrdCK', 'dgRbUAb7rviXDimUBM1', 'OlXjaJbvJXNXKUSnH4y', 'bT0rYVbid7xUJw9U33E'
Source: 0.0.CV.exe.f50000.0.unpack, vcv4gTirOXWUkhhGZm/fYdeSiOhGUYAVaiNf9.cs High entropy of concatenated method names: 'yktEoc6Ya', 'vp8GK43Tk', '.ctor', 'pi5jGds9i', 'MIp8JqFYj', 'WorR2O6aV', 'fFsN5mp8Q', 'O25QpMydK', 'JmanyLpuf', 'EvoetO72G'
Source: 0.0.CV.exe.f50000.0.unpack, JQbqyjgMb1J9JIpJyU/XmgRAB8YhhVrmAJ6e1.cs High entropy of concatenated method names: 'QVHtOtpxWt', 'IjYtUAIfW3', 'dg6thZoKcT', 'Pgbt4CDBeI', 'ctmt32W6j4', 'PwktgiAtIE', 'MSIt7BQ8dp', '.ctor', 'wHYWQG4A9C', 'XyQtH8GZL3'
Source: 0.0.CV.exe.f50000.0.unpack, EVbGiUaRXQ4q1l90m3/d2W5DtpYMHJygNb8sb.cs High entropy of concatenated method names: 'xXGLROtEm', 'Ho2OkMFJ5', 'Rn7YDwpDI', 'FQ2hhR32S', '.ctor', 'TenbtQVjV', 'GJdH1Evjd', 'p0j1eMo6A', 'arxWNXpJhl', 'x4suC6YPS'
Source: 0.0.CV.exe.f50000.0.unpack, J17pUYxA9GWZaQcuSR/a64q056RtKseix88WN.cs High entropy of concatenated method names: 'arxiXpJhl', 'HTxVrK5kMmDmJUOZdp', 'FlaVtKk3jkCs0QrrHO', 'h6QvH19VxAW3lH63Fs', 'egFcgTyP4p9ScIm9Om', 'ep0wcc1wwFEBomZ9Ir', 'ji8kXxI03MCuXIyq4G', 'jNB6fXu3bLsbIjkBNr'
Source: 0.0.CV.exe.f50000.0.unpack, zbO3yM9XlRkXc1UhgG/AstOoPcs4y7n999nUR.cs High entropy of concatenated method names: 'Q81ijORQV0', 'mrEi8j5gIO', 'oWSiNCQ0OB', 'CAZiQ4fUdW', '.ctor', 'LcqWnjPeaR', 'ToString', 'LxyiGEF3N3', 'M2je8SbS0mSg54i8xWw', 'u4rNc0b68lNTiTSpRZW'
Source: 0.0.CV.exe.f50000.0.unpack, f6QAEQbHVikhcusZIE/HbdsvqV4QrR2Zn1T7w.cs High entropy of concatenated method names: 'DnMWKmdpDu', 'a3VWP3DBHf', 'aFSWDshvec', 'haPWbRSHhe', '.ctor', 'ttAWsgIyRt', 'HXgdpsnvRLiqam5ZlhJ', 'G1kZYonsMH5qr0RLhC7', 'K3EI4LniTKoHXiZcPvE', 'OQ4plNnqKOHpGiLTKtf'
Source: 0.2.CV.exe.f50000.0.unpack, GQ9WpnkMxs0KqDlR2p/hrvUB6q5ehponiZHtm.cs High entropy of concatenated method names: 'M17iAmQZ1V', 'j1WicCThhc', 'Kb3iTBHgep', 'XcdiVebSVE', 'MUmi6I4X8E', 'cJDiK0k8Yi', 'N9mik5naKE', 'ooAibx7mwa', 'y5siH3cVsD', '.ctor'
Source: 0.2.CV.exe.f50000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs High entropy of concatenated method names: '.ctor', 'LRciz3RqpG', 'IQntdU0WOy', 'Dispose', 'JDvtisw55s', 'VMLttCxOni', 'M6fLCIbs97jpZ6LrdCK', 'dgRbUAb7rviXDimUBM1', 'OlXjaJbvJXNXKUSnH4y', 'bT0rYVbid7xUJw9U33E'
Source: 0.2.CV.exe.f50000.0.unpack, U0GjgnuvPsJiWrBfdd/MwQiV9lNrqbX6gLeoM.cs High entropy of concatenated method names: 'giBAHmpOI', 'eixCfSdgg', 'Hu7ccixbJ', 'F8VyeymWy', 'MhYTifPTu', 'ttAFgIyRt', 'iQbVN2RNq', 'iejXRitWZ', 'XD26EtWqg', '.ctor'
Source: 0.2.CV.exe.f50000.0.unpack, vcv4gTirOXWUkhhGZm/fYdeSiOhGUYAVaiNf9.cs High entropy of concatenated method names: 'yktEoc6Ya', 'vp8GK43Tk', '.ctor', 'pi5jGds9i', 'MIp8JqFYj', 'WorR2O6aV', 'fFsN5mp8Q', 'O25QpMydK', 'JmanyLpuf', 'EvoetO72G'
Source: 0.2.CV.exe.f50000.0.unpack, JQbqyjgMb1J9JIpJyU/XmgRAB8YhhVrmAJ6e1.cs High entropy of concatenated method names: 'QVHtOtpxWt', 'IjYtUAIfW3', 'dg6thZoKcT', 'Pgbt4CDBeI', 'ctmt32W6j4', 'PwktgiAtIE', 'MSIt7BQ8dp', '.ctor', 'wHYWQG4A9C', 'XyQtH8GZL3'
Source: 0.2.CV.exe.f50000.0.unpack, EVbGiUaRXQ4q1l90m3/d2W5DtpYMHJygNb8sb.cs High entropy of concatenated method names: 'xXGLROtEm', 'Ho2OkMFJ5', 'Rn7YDwpDI', 'FQ2hhR32S', '.ctor', 'TenbtQVjV', 'GJdH1Evjd', 'p0j1eMo6A', 'arxWNXpJhl', 'x4suC6YPS'
Source: 0.2.CV.exe.f50000.0.unpack, zbO3yM9XlRkXc1UhgG/AstOoPcs4y7n999nUR.cs High entropy of concatenated method names: 'Q81ijORQV0', 'mrEi8j5gIO', 'oWSiNCQ0OB', 'CAZiQ4fUdW', '.ctor', 'LcqWnjPeaR', 'ToString', 'LxyiGEF3N3', 'M2je8SbS0mSg54i8xWw', 'u4rNc0b68lNTiTSpRZW'
Source: 0.2.CV.exe.f50000.0.unpack, J17pUYxA9GWZaQcuSR/a64q056RtKseix88WN.cs High entropy of concatenated method names: 'arxiXpJhl', 'HTxVrK5kMmDmJUOZdp', 'FlaVtKk3jkCs0QrrHO', 'h6QvH19VxAW3lH63Fs', 'egFcgTyP4p9ScIm9Om', 'ep0wcc1wwFEBomZ9Ir', 'ji8kXxI03MCuXIyq4G', 'jNB6fXu3bLsbIjkBNr'
Source: 0.2.CV.exe.f50000.0.unpack, f6QAEQbHVikhcusZIE/HbdsvqV4QrR2Zn1T7w.cs High entropy of concatenated method names: 'DnMWKmdpDu', 'a3VWP3DBHf', 'aFSWDshvec', 'haPWbRSHhe', '.ctor', 'ttAWsgIyRt', 'HXgdpsnvRLiqam5ZlhJ', 'G1kZYonsMH5qr0RLhC7', 'K3EI4LniTKoHXiZcPvE', 'OQ4plNnqKOHpGiLTKtf'
Source: dhcpmon.exe.2.dr, GQ9WpnkMxs0KqDlR2p/hrvUB6q5ehponiZHtm.cs High entropy of concatenated method names: 'M17iAmQZ1V', 'j1WicCThhc', 'Kb3iTBHgep', 'XcdiVebSVE', 'MUmi6I4X8E', 'cJDiK0k8Yi', 'N9mik5naKE', 'ooAibx7mwa', 'y5siH3cVsD', '.ctor'
Source: dhcpmon.exe.2.dr, U0GjgnuvPsJiWrBfdd/MwQiV9lNrqbX6gLeoM.cs High entropy of concatenated method names: 'giBAHmpOI', 'eixCfSdgg', 'Hu7ccixbJ', 'F8VyeymWy', 'MhYTifPTu', 'ttAFgIyRt', 'iQbVN2RNq', 'iejXRitWZ', 'XD26EtWqg', '.ctor'
Source: dhcpmon.exe.2.dr, vcv4gTirOXWUkhhGZm/fYdeSiOhGUYAVaiNf9.cs High entropy of concatenated method names: 'yktEoc6Ya', 'vp8GK43Tk', '.ctor', 'pi5jGds9i', 'MIp8JqFYj', 'WorR2O6aV', 'fFsN5mp8Q', 'O25QpMydK', 'JmanyLpuf', 'EvoetO72G'
Source: dhcpmon.exe.2.dr, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs High entropy of concatenated method names: '.ctor', 'LRciz3RqpG', 'IQntdU0WOy', 'Dispose', 'JDvtisw55s', 'VMLttCxOni', 'M6fLCIbs97jpZ6LrdCK', 'dgRbUAb7rviXDimUBM1', 'OlXjaJbvJXNXKUSnH4y', 'bT0rYVbid7xUJw9U33E'
Source: dhcpmon.exe.2.dr, JQbqyjgMb1J9JIpJyU/XmgRAB8YhhVrmAJ6e1.cs High entropy of concatenated method names: 'QVHtOtpxWt', 'IjYtUAIfW3', 'dg6thZoKcT', 'Pgbt4CDBeI', 'ctmt32W6j4', 'PwktgiAtIE', 'MSIt7BQ8dp', '.ctor', 'wHYWQG4A9C', 'XyQtH8GZL3'
Source: dhcpmon.exe.2.dr, zbO3yM9XlRkXc1UhgG/AstOoPcs4y7n999nUR.cs High entropy of concatenated method names: 'Q81ijORQV0', 'mrEi8j5gIO', 'oWSiNCQ0OB', 'CAZiQ4fUdW', '.ctor', 'LcqWnjPeaR', 'ToString', 'LxyiGEF3N3', 'M2je8SbS0mSg54i8xWw', 'u4rNc0b68lNTiTSpRZW'
Source: dhcpmon.exe.2.dr, J17pUYxA9GWZaQcuSR/a64q056RtKseix88WN.cs High entropy of concatenated method names: 'arxiXpJhl', 'HTxVrK5kMmDmJUOZdp', 'FlaVtKk3jkCs0QrrHO', 'h6QvH19VxAW3lH63Fs', 'egFcgTyP4p9ScIm9Om', 'ep0wcc1wwFEBomZ9Ir', 'ji8kXxI03MCuXIyq4G', 'jNB6fXu3bLsbIjkBNr'
Source: dhcpmon.exe.2.dr, EVbGiUaRXQ4q1l90m3/d2W5DtpYMHJygNb8sb.cs High entropy of concatenated method names: 'xXGLROtEm', 'Ho2OkMFJ5', 'Rn7YDwpDI', 'FQ2hhR32S', '.ctor', 'TenbtQVjV', 'GJdH1Evjd', 'p0j1eMo6A', 'arxWNXpJhl', 'x4suC6YPS'
Source: dhcpmon.exe.2.dr, f6QAEQbHVikhcusZIE/HbdsvqV4QrR2Zn1T7w.cs High entropy of concatenated method names: 'DnMWKmdpDu', 'a3VWP3DBHf', 'aFSWDshvec', 'haPWbRSHhe', '.ctor', 'ttAWsgIyRt', 'HXgdpsnvRLiqam5ZlhJ', 'G1kZYonsMH5qr0RLhC7', 'K3EI4LniTKoHXiZcPvE', 'OQ4plNnqKOHpGiLTKtf'
Source: 2.0.CV.exe.d00000.0.unpack, GQ9WpnkMxs0KqDlR2p/hrvUB6q5ehponiZHtm.cs High entropy of concatenated method names: 'M17iAmQZ1V', 'j1WicCThhc', 'Kb3iTBHgep', 'XcdiVebSVE', 'MUmi6I4X8E', 'cJDiK0k8Yi', 'N9mik5naKE', 'ooAibx7mwa', 'y5siH3cVsD', '.ctor'
Source: 2.0.CV.exe.d00000.0.unpack, U0GjgnuvPsJiWrBfdd/MwQiV9lNrqbX6gLeoM.cs High entropy of concatenated method names: 'giBAHmpOI', 'eixCfSdgg', 'Hu7ccixbJ', 'F8VyeymWy', 'MhYTifPTu', 'ttAFgIyRt', 'iQbVN2RNq', 'iejXRitWZ', 'XD26EtWqg', '.ctor'
Source: 2.0.CV.exe.d00000.0.unpack, vcv4gTirOXWUkhhGZm/fYdeSiOhGUYAVaiNf9.cs High entropy of concatenated method names: 'yktEoc6Ya', 'vp8GK43Tk', '.ctor', 'pi5jGds9i', 'MIp8JqFYj', 'WorR2O6aV', 'fFsN5mp8Q', 'O25QpMydK', 'JmanyLpuf', 'EvoetO72G'
Source: 2.0.CV.exe.d00000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs High entropy of concatenated method names: '.ctor', 'LRciz3RqpG', 'IQntdU0WOy', 'Dispose', 'JDvtisw55s', 'VMLttCxOni', 'M6fLCIbs97jpZ6LrdCK', 'dgRbUAb7rviXDimUBM1', 'OlXjaJbvJXNXKUSnH4y', 'bT0rYVbid7xUJw9U33E'
Source: 2.0.CV.exe.d00000.0.unpack, EVbGiUaRXQ4q1l90m3/d2W5DtpYMHJygNb8sb.cs High entropy of concatenated method names: 'xXGLROtEm', 'Ho2OkMFJ5', 'Rn7YDwpDI', 'FQ2hhR32S', '.ctor', 'TenbtQVjV', 'GJdH1Evjd', 'p0j1eMo6A', 'arxWNXpJhl', 'x4suC6YPS'
Source: 2.0.CV.exe.d00000.0.unpack, JQbqyjgMb1J9JIpJyU/XmgRAB8YhhVrmAJ6e1.cs High entropy of concatenated method names: 'QVHtOtpxWt', 'IjYtUAIfW3', 'dg6thZoKcT', 'Pgbt4CDBeI', 'ctmt32W6j4', 'PwktgiAtIE', 'MSIt7BQ8dp', '.ctor', 'wHYWQG4A9C', 'XyQtH8GZL3'
Source: 2.0.CV.exe.d00000.0.unpack, zbO3yM9XlRkXc1UhgG/AstOoPcs4y7n999nUR.cs High entropy of concatenated method names: 'Q81ijORQV0', 'mrEi8j5gIO', 'oWSiNCQ0OB', 'CAZiQ4fUdW', '.ctor', 'LcqWnjPeaR', 'ToString', 'LxyiGEF3N3', 'M2je8SbS0mSg54i8xWw', 'u4rNc0b68lNTiTSpRZW'
Source: 2.0.CV.exe.d00000.0.unpack, J17pUYxA9GWZaQcuSR/a64q056RtKseix88WN.cs High entropy of concatenated method names: 'arxiXpJhl', 'HTxVrK5kMmDmJUOZdp', 'FlaVtKk3jkCs0QrrHO', 'h6QvH19VxAW3lH63Fs', 'egFcgTyP4p9ScIm9Om', 'ep0wcc1wwFEBomZ9Ir', 'ji8kXxI03MCuXIyq4G', 'jNB6fXu3bLsbIjkBNr'
Source: 2.0.CV.exe.d00000.0.unpack, f6QAEQbHVikhcusZIE/HbdsvqV4QrR2Zn1T7w.cs High entropy of concatenated method names: 'DnMWKmdpDu', 'a3VWP3DBHf', 'aFSWDshvec', 'haPWbRSHhe', '.ctor', 'ttAWsgIyRt', 'HXgdpsnvRLiqam5ZlhJ', 'G1kZYonsMH5qr0RLhC7', 'K3EI4LniTKoHXiZcPvE', 'OQ4plNnqKOHpGiLTKtf'
Source: 4.2.dhcpmon.exe.740000.0.unpack, GQ9WpnkMxs0KqDlR2p/hrvUB6q5ehponiZHtm.cs High entropy of concatenated method names: 'M17iAmQZ1V', 'j1WicCThhc', 'Kb3iTBHgep', 'XcdiVebSVE', 'MUmi6I4X8E', 'cJDiK0k8Yi', 'N9mik5naKE', 'ooAibx7mwa', 'y5siH3cVsD', '.ctor'
Source: 4.2.dhcpmon.exe.740000.0.unpack, vcv4gTirOXWUkhhGZm/fYdeSiOhGUYAVaiNf9.cs High entropy of concatenated method names: 'yktEoc6Ya', 'vp8GK43Tk', '.ctor', 'pi5jGds9i', 'MIp8JqFYj', 'WorR2O6aV', 'fFsN5mp8Q', 'O25QpMydK', 'JmanyLpuf', 'EvoetO72G'
Source: 4.2.dhcpmon.exe.740000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs High entropy of concatenated method names: '.ctor', 'LRciz3RqpG', 'IQntdU0WOy', 'Dispose', 'JDvtisw55s', 'VMLttCxOni', 'M6fLCIbs97jpZ6LrdCK', 'dgRbUAb7rviXDimUBM1', 'OlXjaJbvJXNXKUSnH4y', 'bT0rYVbid7xUJw9U33E'
Source: 4.2.dhcpmon.exe.740000.0.unpack, U0GjgnuvPsJiWrBfdd/MwQiV9lNrqbX6gLeoM.cs High entropy of concatenated method names: 'giBAHmpOI', 'eixCfSdgg', 'Hu7ccixbJ', 'F8VyeymWy', 'MhYTifPTu', 'ttAFgIyRt', 'iQbVN2RNq', 'iejXRitWZ', 'XD26EtWqg', '.ctor'
Source: 4.2.dhcpmon.exe.740000.0.unpack, JQbqyjgMb1J9JIpJyU/XmgRAB8YhhVrmAJ6e1.cs High entropy of concatenated method names: 'QVHtOtpxWt', 'IjYtUAIfW3', 'dg6thZoKcT', 'Pgbt4CDBeI', 'ctmt32W6j4', 'PwktgiAtIE', 'MSIt7BQ8dp', '.ctor', 'wHYWQG4A9C', 'XyQtH8GZL3'
Source: 4.2.dhcpmon.exe.740000.0.unpack, EVbGiUaRXQ4q1l90m3/d2W5DtpYMHJygNb8sb.cs High entropy of concatenated method names: 'xXGLROtEm', 'Ho2OkMFJ5', 'Rn7YDwpDI', 'FQ2hhR32S', '.ctor', 'TenbtQVjV', 'GJdH1Evjd', 'p0j1eMo6A', 'arxWNXpJhl', 'x4suC6YPS'
Source: 4.2.dhcpmon.exe.740000.0.unpack, zbO3yM9XlRkXc1UhgG/AstOoPcs4y7n999nUR.cs High entropy of concatenated method names: 'Q81ijORQV0', 'mrEi8j5gIO', 'oWSiNCQ0OB', 'CAZiQ4fUdW', '.ctor', 'LcqWnjPeaR', 'ToString', 'LxyiGEF3N3', 'M2je8SbS0mSg54i8xWw', 'u4rNc0b68lNTiTSpRZW'
Source: 4.2.dhcpmon.exe.740000.0.unpack, J17pUYxA9GWZaQcuSR/a64q056RtKseix88WN.cs High entropy of concatenated method names: 'arxiXpJhl', 'HTxVrK5kMmDmJUOZdp', 'FlaVtKk3jkCs0QrrHO', 'h6QvH19VxAW3lH63Fs', 'egFcgTyP4p9ScIm9Om', 'ep0wcc1wwFEBomZ9Ir', 'ji8kXxI03MCuXIyq4G', 'jNB6fXu3bLsbIjkBNr'
Source: 4.2.dhcpmon.exe.740000.0.unpack, f6QAEQbHVikhcusZIE/HbdsvqV4QrR2Zn1T7w.cs High entropy of concatenated method names: 'DnMWKmdpDu', 'a3VWP3DBHf', 'aFSWDshvec', 'haPWbRSHhe', '.ctor', 'ttAWsgIyRt', 'HXgdpsnvRLiqam5ZlhJ', 'G1kZYonsMH5qr0RLhC7', 'K3EI4LniTKoHXiZcPvE', 'OQ4plNnqKOHpGiLTKtf'
Source: 4.0.dhcpmon.exe.740000.0.unpack, GQ9WpnkMxs0KqDlR2p/hrvUB6q5ehponiZHtm.cs High entropy of concatenated method names: 'M17iAmQZ1V', 'j1WicCThhc', 'Kb3iTBHgep', 'XcdiVebSVE', 'MUmi6I4X8E', 'cJDiK0k8Yi', 'N9mik5naKE', 'ooAibx7mwa', 'y5siH3cVsD', '.ctor'
Source: 4.0.dhcpmon.exe.740000.0.unpack, U0GjgnuvPsJiWrBfdd/MwQiV9lNrqbX6gLeoM.cs High entropy of concatenated method names: 'giBAHmpOI', 'eixCfSdgg', 'Hu7ccixbJ', 'F8VyeymWy', 'MhYTifPTu', 'ttAFgIyRt', 'iQbVN2RNq', 'iejXRitWZ', 'XD26EtWqg', '.ctor'
Source: 4.0.dhcpmon.exe.740000.0.unpack, vcv4gTirOXWUkhhGZm/fYdeSiOhGUYAVaiNf9.cs High entropy of concatenated method names: 'yktEoc6Ya', 'vp8GK43Tk', '.ctor', 'pi5jGds9i', 'MIp8JqFYj', 'WorR2O6aV', 'fFsN5mp8Q', 'O25QpMydK', 'JmanyLpuf', 'EvoetO72G'
Source: 4.0.dhcpmon.exe.740000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs High entropy of concatenated method names: '.ctor', 'LRciz3RqpG', 'IQntdU0WOy', 'Dispose', 'JDvtisw55s', 'VMLttCxOni', 'M6fLCIbs97jpZ6LrdCK', 'dgRbUAb7rviXDimUBM1', 'OlXjaJbvJXNXKUSnH4y', 'bT0rYVbid7xUJw9U33E'
Source: 4.0.dhcpmon.exe.740000.0.unpack, JQbqyjgMb1J9JIpJyU/XmgRAB8YhhVrmAJ6e1.cs High entropy of concatenated method names: 'QVHtOtpxWt', 'IjYtUAIfW3', 'dg6thZoKcT', 'Pgbt4CDBeI', 'ctmt32W6j4', 'PwktgiAtIE', 'MSIt7BQ8dp', '.ctor', 'wHYWQG4A9C', 'XyQtH8GZL3'
Source: 4.0.dhcpmon.exe.740000.0.unpack, EVbGiUaRXQ4q1l90m3/d2W5DtpYMHJygNb8sb.cs High entropy of concatenated method names: 'xXGLROtEm', 'Ho2OkMFJ5', 'Rn7YDwpDI', 'FQ2hhR32S', '.ctor', 'TenbtQVjV', 'GJdH1Evjd', 'p0j1eMo6A', 'arxWNXpJhl', 'x4suC6YPS'
Source: 4.0.dhcpmon.exe.740000.0.unpack, zbO3yM9XlRkXc1UhgG/AstOoPcs4y7n999nUR.cs High entropy of concatenated method names: 'Q81ijORQV0', 'mrEi8j5gIO', 'oWSiNCQ0OB', 'CAZiQ4fUdW', '.ctor', 'LcqWnjPeaR', 'ToString', 'LxyiGEF3N3', 'M2je8SbS0mSg54i8xWw', 'u4rNc0b68lNTiTSpRZW'
Source: 4.0.dhcpmon.exe.740000.0.unpack, J17pUYxA9GWZaQcuSR/a64q056RtKseix88WN.cs High entropy of concatenated method names: 'arxiXpJhl', 'HTxVrK5kMmDmJUOZdp', 'FlaVtKk3jkCs0QrrHO', 'h6QvH19VxAW3lH63Fs', 'egFcgTyP4p9ScIm9Om', 'ep0wcc1wwFEBomZ9Ir', 'ji8kXxI03MCuXIyq4G', 'jNB6fXu3bLsbIjkBNr'
Source: 4.0.dhcpmon.exe.740000.0.unpack, f6QAEQbHVikhcusZIE/HbdsvqV4QrR2Zn1T7w.cs High entropy of concatenated method names: 'DnMWKmdpDu', 'a3VWP3DBHf', 'aFSWDshvec', 'haPWbRSHhe', '.ctor', 'ttAWsgIyRt', 'HXgdpsnvRLiqam5ZlhJ', 'G1kZYonsMH5qr0RLhC7', 'K3EI4LniTKoHXiZcPvE', 'OQ4plNnqKOHpGiLTKtf'
Source: 5.2.dhcpmon.exe.770000.1.unpack, GQ9WpnkMxs0KqDlR2p/hrvUB6q5ehponiZHtm.cs High entropy of concatenated method names: 'M17iAmQZ1V', 'j1WicCThhc', 'Kb3iTBHgep', 'XcdiVebSVE', 'MUmi6I4X8E', 'cJDiK0k8Yi', 'N9mik5naKE', 'ooAibx7mwa', 'y5siH3cVsD', '.ctor'
Source: 5.2.dhcpmon.exe.770000.1.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs High entropy of concatenated method names: '.ctor', 'LRciz3RqpG', 'IQntdU0WOy', 'Dispose', 'JDvtisw55s', 'VMLttCxOni', 'M6fLCIbs97jpZ6LrdCK', 'dgRbUAb7rviXDimUBM1', 'OlXjaJbvJXNXKUSnH4y', 'bT0rYVbid7xUJw9U33E'
Source: 5.2.dhcpmon.exe.770000.1.unpack, U0GjgnuvPsJiWrBfdd/MwQiV9lNrqbX6gLeoM.cs High entropy of concatenated method names: 'giBAHmpOI', 'eixCfSdgg', 'Hu7ccixbJ', 'F8VyeymWy', 'MhYTifPTu', 'ttAFgIyRt', 'iQbVN2RNq', 'iejXRitWZ', 'XD26EtWqg', '.ctor'
Source: 5.2.dhcpmon.exe.770000.1.unpack, vcv4gTirOXWUkhhGZm/fYdeSiOhGUYAVaiNf9.cs High entropy of concatenated method names: 'yktEoc6Ya', 'vp8GK43Tk', '.ctor', 'pi5jGds9i', 'MIp8JqFYj', 'WorR2O6aV', 'fFsN5mp8Q', 'O25QpMydK', 'JmanyLpuf', 'EvoetO72G'
Source: 5.2.dhcpmon.exe.770000.1.unpack, EVbGiUaRXQ4q1l90m3/d2W5DtpYMHJygNb8sb.cs High entropy of concatenated method names: 'xXGLROtEm', 'Ho2OkMFJ5', 'Rn7YDwpDI', 'FQ2hhR32S', '.ctor', 'TenbtQVjV', 'GJdH1Evjd', 'p0j1eMo6A', 'arxWNXpJhl', 'x4suC6YPS'
Source: 5.2.dhcpmon.exe.770000.1.unpack, J17pUYxA9GWZaQcuSR/a64q056RtKseix88WN.cs High entropy of concatenated method names: 'arxiXpJhl', 'HTxVrK5kMmDmJUOZdp', 'FlaVtKk3jkCs0QrrHO', 'h6QvH19VxAW3lH63Fs', 'egFcgTyP4p9ScIm9Om', 'ep0wcc1wwFEBomZ9Ir', 'ji8kXxI03MCuXIyq4G', 'jNB6fXu3bLsbIjkBNr'
Source: 5.2.dhcpmon.exe.770000.1.unpack, f6QAEQbHVikhcusZIE/HbdsvqV4QrR2Zn1T7w.cs High entropy of concatenated method names: 'DnMWKmdpDu', 'a3VWP3DBHf', 'aFSWDshvec', 'haPWbRSHhe', '.ctor', 'ttAWsgIyRt', 'HXgdpsnvRLiqam5ZlhJ', 'G1kZYonsMH5qr0RLhC7', 'K3EI4LniTKoHXiZcPvE', 'OQ4plNnqKOHpGiLTKtf'
Source: 5.2.dhcpmon.exe.770000.1.unpack, JQbqyjgMb1J9JIpJyU/XmgRAB8YhhVrmAJ6e1.cs High entropy of concatenated method names: 'QVHtOtpxWt', 'IjYtUAIfW3', 'dg6thZoKcT', 'Pgbt4CDBeI', 'ctmt32W6j4', 'PwktgiAtIE', 'MSIt7BQ8dp', '.ctor', 'wHYWQG4A9C', 'XyQtH8GZL3'
Source: 5.2.dhcpmon.exe.770000.1.unpack, zbO3yM9XlRkXc1UhgG/AstOoPcs4y7n999nUR.cs High entropy of concatenated method names: 'Q81ijORQV0', 'mrEi8j5gIO', 'oWSiNCQ0OB', 'CAZiQ4fUdW', '.ctor', 'LcqWnjPeaR', 'ToString', 'LxyiGEF3N3', 'M2je8SbS0mSg54i8xWw', 'u4rNc0b68lNTiTSpRZW'
Source: 5.0.dhcpmon.exe.770000.0.unpack, GQ9WpnkMxs0KqDlR2p/hrvUB6q5ehponiZHtm.cs High entropy of concatenated method names: 'M17iAmQZ1V', 'j1WicCThhc', 'Kb3iTBHgep', 'XcdiVebSVE', 'MUmi6I4X8E', 'cJDiK0k8Yi', 'N9mik5naKE', 'ooAibx7mwa', 'y5siH3cVsD', '.ctor'
Source: 5.0.dhcpmon.exe.770000.0.unpack, U0GjgnuvPsJiWrBfdd/MwQiV9lNrqbX6gLeoM.cs High entropy of concatenated method names: 'giBAHmpOI', 'eixCfSdgg', 'Hu7ccixbJ', 'F8VyeymWy', 'MhYTifPTu', 'ttAFgIyRt', 'iQbVN2RNq', 'iejXRitWZ', 'XD26EtWqg', '.ctor'
Source: 5.0.dhcpmon.exe.770000.0.unpack, vcv4gTirOXWUkhhGZm/fYdeSiOhGUYAVaiNf9.cs High entropy of concatenated method names: 'yktEoc6Ya', 'vp8GK43Tk', '.ctor', 'pi5jGds9i', 'MIp8JqFYj', 'WorR2O6aV', 'fFsN5mp8Q', 'O25QpMydK', 'JmanyLpuf', 'EvoetO72G'
Source: 5.0.dhcpmon.exe.770000.0.unpack, JQbqyjgMb1J9JIpJyU/XmgRAB8YhhVrmAJ6e1.cs High entropy of concatenated method names: 'QVHtOtpxWt', 'IjYtUAIfW3', 'dg6thZoKcT', 'Pgbt4CDBeI', 'ctmt32W6j4', 'PwktgiAtIE', 'MSIt7BQ8dp', '.ctor', 'wHYWQG4A9C', 'XyQtH8GZL3'
Source: 5.0.dhcpmon.exe.770000.0.unpack, f6QAEQbHVikhcusZIE/HbdsvqV4QrR2Zn1T7w.cs High entropy of concatenated method names: 'DnMWKmdpDu', 'a3VWP3DBHf', 'aFSWDshvec', 'haPWbRSHhe', '.ctor', 'ttAWsgIyRt', 'HXgdpsnvRLiqam5ZlhJ', 'G1kZYonsMH5qr0RLhC7', 'K3EI4LniTKoHXiZcPvE', 'OQ4plNnqKOHpGiLTKtf'
Source: 5.0.dhcpmon.exe.770000.0.unpack, EVbGiUaRXQ4q1l90m3/d2W5DtpYMHJygNb8sb.cs High entropy of concatenated method names: 'xXGLROtEm', 'Ho2OkMFJ5', 'Rn7YDwpDI', 'FQ2hhR32S', '.ctor', 'TenbtQVjV', 'GJdH1Evjd', 'p0j1eMo6A', 'arxWNXpJhl', 'x4suC6YPS'
Source: 5.0.dhcpmon.exe.770000.0.unpack, J17pUYxA9GWZaQcuSR/a64q056RtKseix88WN.cs High entropy of concatenated method names: 'arxiXpJhl', 'HTxVrK5kMmDmJUOZdp', 'FlaVtKk3jkCs0QrrHO', 'h6QvH19VxAW3lH63Fs', 'egFcgTyP4p9ScIm9Om', 'ep0wcc1wwFEBomZ9Ir', 'ji8kXxI03MCuXIyq4G', 'jNB6fXu3bLsbIjkBNr'
Source: 5.0.dhcpmon.exe.770000.0.unpack, GR4yJPQDWUbch0SaCW/maOSCjS5dWe2tt79WY.cs High entropy of concatenated method names: '.ctor', 'LRciz3RqpG', 'IQntdU0WOy', 'Dispose', 'JDvtisw55s', 'VMLttCxOni', 'M6fLCIbs97jpZ6LrdCK', 'dgRbUAb7rviXDimUBM1', 'OlXjaJbvJXNXKUSnH4y', 'bT0rYVbid7xUJw9U33E'
Source: 5.0.dhcpmon.exe.770000.0.unpack, zbO3yM9XlRkXc1UhgG/AstOoPcs4y7n999nUR.cs High entropy of concatenated method names: 'Q81ijORQV0', 'mrEi8j5gIO', 'oWSiNCQ0OB', 'CAZiQ4fUdW', '.ctor', 'LcqWnjPeaR', 'ToString', 'LxyiGEF3N3', 'M2je8SbS0mSg54i8xWw', 'u4rNc0b68lNTiTSpRZW'
Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\CV.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\CV.exe File opened: C:\Users\user\Desktop\CV.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.CV.exe.3667a98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.dhcpmon.exe.2e77ad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.304747743.0000000003682000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.304713233.0000000003661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.336966221.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.337007727.0000000002E92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CV.exe PID: 7020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5512, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: CV.exe, 00000000.00000002.304747743.0000000003682000.00000004.00000001.sdmp, dhcpmon.exe, 00000004.00000002.336966221.0000000002E71000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: CV.exe, 00000000.00000002.304747743.0000000003682000.00000004.00000001.sdmp, dhcpmon.exe, 00000004.00000002.336966221.0000000002E71000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\CV.exe TID: 7024 Thread sleep time: -33317s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\CV.exe TID: 7064 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\CV.exe TID: 5728 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\CV.exe TID: 5728 Thread sleep count: 217 > 30 Jump to behavior
Source: C:\Users\user\Desktop\CV.exe TID: 5728 Thread sleep count: 242 > 30 Jump to behavior
Source: C:\Users\user\Desktop\CV.exe TID: 5728 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Users\user\Desktop\CV.exe TID: 5728 Thread sleep count: 65 > 30 Jump to behavior
Source: C:\Users\user\Desktop\CV.exe TID: 4620 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Users\user\Desktop\CV.exe TID: 4620 Thread sleep time: -960000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5708 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6240 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\CV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\CV.exe Window / User API: foregroundWindowGot 589 Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Window / User API: foregroundWindowGot 621 Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\Desktop\CV.exe Code function: 0_2_016072F6 sldt word ptr [eax] 0_2_016072F6
Source: C:\Users\user\Desktop\CV.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Thread delayed: delay time: 33317 Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: dhcpmon.exe, 00000004.00000002.336966221.0000000002E71000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: dhcpmon.exe, 00000004.00000002.336966221.0000000002E71000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000004.00000002.336966221.0000000002E71000.00000004.00000001.sdmp Binary or memory string: vmware
Source: CV.exe, 00000002.00000003.313699817.00000000014E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: dhcpmon.exe, 00000004.00000002.336966221.0000000002E71000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\CV.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\CV.exe Memory written: C:\Users\user\Desktop\CV.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\CV.exe Process created: C:\Users\user\Desktop\CV.exe C:\Users\user\Desktop\CV.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: CV.exe, 00000002.00000003.433434885.0000000001542000.00000004.00000001.sdmp Binary or memory string: Program Managerter2

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\CV.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.dhcpmon.exe.3e595fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CV.exe.478aac0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e5e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.dhcpmon.exe.3f9aac0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e62a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e5e434.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CV.exe.478aac0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.dhcpmon.exe.3f9aac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.349313749.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.337548650.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.349379459.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.348554360.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305068384.0000000004661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5300, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: dhcpmon.exe, 00000005.00000002.349313749.0000000002E11000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000005.00000002.349313749.0000000002E11000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.dhcpmon.exe.3e595fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CV.exe.478aac0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e5e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.dhcpmon.exe.3f9aac0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e62a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.3e5e434.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CV.exe.478aac0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.dhcpmon.exe.3f9aac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.349313749.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.337548650.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.349379459.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.348554360.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305068384.0000000004661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5300, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 508724 Sample: CV.exe Startdate: 25/10/2021 Architecture: WINDOWS Score: 100 28 kamuchehddhgfgf.ddns.net 2->28 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 13 other signatures 2->40 7 CV.exe 3 2->7         started        11 dhcpmon.exe 3 2->11         started        signatures3 process4 file5 20 C:\Users\user\AppData\Local\...\CV.exe.log, ASCII 7->20 dropped 42 Injects a PE file into a foreign processes 7->42 13 CV.exe 1 14 7->13         started        18 dhcpmon.exe 2 11->18         started        signatures6 process7 dnsIp8 30 kamuchehddhgfgf.ddns.net 37.0.10.22, 1187, 49742, 49743 WKD-ASIE Netherlands 13->30 32 192.168.2.1 unknown unknown 13->32 22 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->22 dropped 24 C:\Users\user\AppData\Roaming\...\run.dat, data 13->24 dropped 26 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->26 dropped 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->44 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
37.0.10.22
 kamuchehddhgfgf.ddns.net Netherlands
198301 WKD-ASIE true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
kamuchehddhgfgf.ddns.net 37.0.10.22 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
kamuchehddhgfgf.ddns.net true
  • Avira URL Cloud: safe
 unknown