Loading ...

Play interactive tourEdit tour

Windows Analysis Report CV.exe

Overview

General Information

Sample Name:CV.exe
Analysis ID:527613
MD5:de2d175988e8d0e1d9c37482fb37c66c
SHA1:d4e7bacea5b7ee3deb72f73cff98b286661f612e
SHA256:37649a092c0ad878f4fb8d8578c2e7ca110360ba1575e0697baf1efa8e5cb409
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • CV.exe (PID: 4020 cmdline: "C:\Users\user\Desktop\CV.exe" MD5: DE2D175988E8D0E1D9C37482FB37C66C)
    • CV.exe (PID: 360 cmdline: C:\Users\user\Desktop\CV.exe MD5: DE2D175988E8D0E1D9C37482FB37C66C)
  • dhcpmon.exe (PID: 5628 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: DE2D175988E8D0E1D9C37482FB37C66C)
    • dhcpmon.exe (PID: 1664 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: DE2D175988E8D0E1D9C37482FB37C66C)
    • dhcpmon.exe (PID: 5348 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: DE2D175988E8D0E1D9C37482FB37C66C)
    • dhcpmon.exe (PID: 7096 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: DE2D175988E8D0E1D9C37482FB37C66C)
    • WMIADAP.exe (PID: 7096 cmdline: wmiadap.exe /F /T /R MD5: 9783D0765F31980950445DFD40DB15DA)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f4157c11-54e5-4893-8a60-6856b847", "Group": "Default", "Domain1": "dera31.ddns.net", "Domain2": "195.133.18.211", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 50 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.dhcpmon.exe.425e434.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      14.2.dhcpmon.exe.425e434.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      14.2.dhcpmon.exe.425e434.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        14.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        14.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        Click to see the 82 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CV.exe, ProcessId: 360, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CV.exe, ProcessId: 360, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CV.exe, ProcessId: 360, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CV.exe, ProcessId: 360, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f4157c11-54e5-4893-8a60-6856b847", "Group": "Default", "Domain1": "dera31.ddns.net", "Domain2": "195.133.18.211", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: dera31.ddns.netVirustotal: Detection: 6%Perma Link
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.425e434.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.4262a5d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3a50ca8.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.425e434.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ed0ca8.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42595fe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3b74dd0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.405a1f0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3bda1f0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ed0ca8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ff4dd0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3a50ca8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338928504.0000000004211000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CV.exe PID: 4020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CV.exe PID: 360, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5628, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7096, type: MEMORYSTR
        Source: 14.0.dhcpmon.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.0.dhcpmon.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.0.dhcpmon.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.CV.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.CV.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.CV.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.CV.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.0.dhcpmon.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.0.dhcpmon.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.CV.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: CV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\CV.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: CV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49786 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49788 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49794 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49799 -> 194.85.248.250:1187
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: dera31.ddns.net
        Source: Malware configuration extractorURLs: 195.133.18.211
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: dera31.ddns.net
        Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
        Source: Joe Sandbox ViewASN Name: DATACENTERRO DATACENTERRO
        Source: Joe Sandbox ViewIP Address: 195.133.18.211 195.133.18.211
        Source: global trafficTCP traffic: 192.168.2.3:49742 -> 194.85.248.250:1187
        Source: global trafficTCP traffic: 192.168.2.3:49819 -> 195.133.18.211:1187
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: CV.exe, 00000000.00000003.273349193.0000000005252000.00000004.00000001.sdmp, CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: CV.exe, 00000000.00000003.274789605.0000000005252000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: CV.exe, 00000000.00000003.274789605.0000000005252000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-u
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: dhcpmon.exe, 0000000A.00000002.330203644.0000000007950000.00000004.00020000.sdmpString found in binary or memory: http://www.chinhdo.com
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: CV.exe, 00000000.00000003.278173438.000000000527D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlb-n
        Source: CV.exe, 00000000.00000003.278173438.000000000527D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlv
        Source: CV.exe, 00000000.00000003.277704375.000000000527E000.00000004.00000001.sdmp, CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: CV.exe, 00000000.00000003.278136471.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: CV.exe, 00000000.00000002.294305055.000000000525C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: CV.exe, 00000000.00000003.278136471.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdj
        Source: CV.exe, 00000000.00000002.294305055.000000000525C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comicm
        Source: CV.exe, 00000000.00000002.294305055.000000000525C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commno4
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: CV.exe, 00000000.00000003.274113146.0000000005252000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: CV.exe, 00000000.00000003.274113146.0000000005252000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn&
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: CV.exe, 00000000.00000003.273839413.0000000005259000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnA
        Source: CV.exe, 00000000.00000003.274113146.0000000005252000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb
        Source: CV.exe, 00000000.00000003.273839413.0000000005259000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: CV.exe, 00000000.00000003.279788089.0000