Loading ...

Play interactive tourEdit tour

Windows Analysis Report CV.exe

Overview

General Information

Sample Name:CV.exe
Analysis ID:527613
MD5:de2d175988e8d0e1d9c37482fb37c66c
SHA1:d4e7bacea5b7ee3deb72f73cff98b286661f612e
SHA256:37649a092c0ad878f4fb8d8578c2e7ca110360ba1575e0697baf1efa8e5cb409
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • CV.exe (PID: 4020 cmdline: "C:\Users\user\Desktop\CV.exe" MD5: DE2D175988E8D0E1D9C37482FB37C66C)
    • CV.exe (PID: 360 cmdline: C:\Users\user\Desktop\CV.exe MD5: DE2D175988E8D0E1D9C37482FB37C66C)
  • dhcpmon.exe (PID: 5628 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: DE2D175988E8D0E1D9C37482FB37C66C)
    • dhcpmon.exe (PID: 1664 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: DE2D175988E8D0E1D9C37482FB37C66C)
    • dhcpmon.exe (PID: 5348 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: DE2D175988E8D0E1D9C37482FB37C66C)
    • dhcpmon.exe (PID: 7096 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: DE2D175988E8D0E1D9C37482FB37C66C)
    • WMIADAP.exe (PID: 7096 cmdline: wmiadap.exe /F /T /R MD5: 9783D0765F31980950445DFD40DB15DA)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f4157c11-54e5-4893-8a60-6856b847", "Group": "Default", "Domain1": "dera31.ddns.net", "Domain2": "195.133.18.211", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 50 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.dhcpmon.exe.425e434.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      14.2.dhcpmon.exe.425e434.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      14.2.dhcpmon.exe.425e434.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        14.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        14.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        Click to see the 82 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CV.exe, ProcessId: 360, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CV.exe, ProcessId: 360, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CV.exe, ProcessId: 360, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CV.exe, ProcessId: 360, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f4157c11-54e5-4893-8a60-6856b847", "Group": "Default", "Domain1": "dera31.ddns.net", "Domain2": "195.133.18.211", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: dera31.ddns.netVirustotal: Detection: 6%Perma Link
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.425e434.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.4262a5d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3a50ca8.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.425e434.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ed0ca8.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42595fe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3b74dd0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.405a1f0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3bda1f0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ed0ca8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ff4dd0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3a50ca8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338928504.0000000004211000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CV.exe PID: 4020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CV.exe PID: 360, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5628, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7096, type: MEMORYSTR
        Source: 14.0.dhcpmon.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.0.dhcpmon.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.0.dhcpmon.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.CV.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.CV.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.CV.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.CV.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.0.dhcpmon.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.0.dhcpmon.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.CV.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: CV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\CV.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: CV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49786 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49788 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49794 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49799 -> 194.85.248.250:1187
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: dera31.ddns.net
        Source: Malware configuration extractorURLs: 195.133.18.211
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: dera31.ddns.net
        Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
        Source: Joe Sandbox ViewASN Name: DATACENTERRO DATACENTERRO
        Source: Joe Sandbox ViewIP Address: 195.133.18.211 195.133.18.211
        Source: global trafficTCP traffic: 192.168.2.3:49742 -> 194.85.248.250:1187
        Source: global trafficTCP traffic: 192.168.2.3:49819 -> 195.133.18.211:1187
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.211
        Source: CV.exe, 00000000.00000003.273349193.0000000005252000.00000004.00000001.sdmp, CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: CV.exe, 00000000.00000003.274789605.0000000005252000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: CV.exe, 00000000.00000003.274789605.0000000005252000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-u
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: dhcpmon.exe, 0000000A.00000002.330203644.0000000007950000.00000004.00020000.sdmpString found in binary or memory: http://www.chinhdo.com
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: CV.exe, 00000000.00000003.278173438.000000000527D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlb-n
        Source: CV.exe, 00000000.00000003.278173438.000000000527D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlv
        Source: CV.exe, 00000000.00000003.277704375.000000000527E000.00000004.00000001.sdmp, CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: CV.exe, 00000000.00000003.278136471.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: CV.exe, 00000000.00000002.294305055.000000000525C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: CV.exe, 00000000.00000003.278136471.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdj
        Source: CV.exe, 00000000.00000002.294305055.000000000525C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comicm
        Source: CV.exe, 00000000.00000002.294305055.000000000525C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commno4
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: CV.exe, 00000000.00000003.274113146.0000000005252000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: CV.exe, 00000000.00000003.274113146.0000000005252000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn&
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: CV.exe, 00000000.00000003.273839413.0000000005259000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnA
        Source: CV.exe, 00000000.00000003.274113146.0000000005252000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb
        Source: CV.exe, 00000000.00000003.273839413.0000000005259000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: CV.exe, 00000000.00000003.279788089.000000000527E000.00000004.00000001.sdmp, CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: CV.exe, 00000000.00000003.275276545.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
        Source: CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//e
        Source: CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
        Source: CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?0
        Source: CV.exe, 00000000.00000003.275276545.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
        Source: CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: CV.exe, 00000000.00000003.275276545.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/F
        Source: CV.exe, 00000000.00000003.274992799.000000000525F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0et
        Source: CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
        Source: CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: CV.exe, 00000000.00000003.275276545.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/?
        Source: CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/talic
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmp, CV.exe, 00000000.00000003.272654599.000000000526B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: CV.exe, 00000000.00000003.272654599.000000000526B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com2
        Source: CV.exe, 00000000.00000003.272654599.000000000526B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comaB
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmp, CV.exe, 00000000.00000003.274272795.000000000528D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: CV.exe, 00000000.00000003.274737881.0000000005260000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comA
        Source: CV.exe, 00000000.00000003.274767525.000000000525B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
        Source: CV.exe, 00000000.00000003.274825775.000000000528E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
        Source: CV.exe, 00000000.00000003.274767525.000000000525B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownDNS traffic detected: queries for: dera31.ddns.net
        Source: dhcpmon.exe, 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.425e434.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.4262a5d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3a50ca8.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.425e434.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ed0ca8.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42595fe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3b74dd0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.405a1f0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3bda1f0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ed0ca8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ff4dd0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3a50ca8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338928504.0000000004211000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CV.exe PID: 4020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CV.exe PID: 360, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5628, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7096, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 14.2.dhcpmon.exe.425e434.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.0.CV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.0.CV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.4262a5d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.0.CV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.0.CV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.0.CV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.0.CV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.3233ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.3a50ca8.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.3a50ca8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.0.CV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.0.CV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.425e434.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CV.exe.3ed0ca8.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CV.exe.3ed0ca8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.42595fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.42595fe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.0.CV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.0.CV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.dhcpmon.exe.3b74dd0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.3b74dd0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CV.exe.405a1f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CV.exe.405a1f0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.dhcpmon.exe.3bda1f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.3bda1f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CV.exe.3ed0ca8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CV.exe.3ed0ca8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CV.exe.3ff4dd0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CV.exe.3ff4dd0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.dhcpmon.exe.3a50ca8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.3a50ca8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.338928504.0000000004211000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CV.exe PID: 4020, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CV.exe PID: 4020, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CV.exe PID: 360, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CV.exe PID: 360, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5628, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5628, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 7096, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 7096, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: CV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 14.2.dhcpmon.exe.425e434.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.425e434.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.0.CV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.0.CV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.0.CV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.4262a5d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.4262a5d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.0.CV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.0.CV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.0.CV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.0.CV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.0.CV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.0.CV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.3233ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.3233ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.dhcpmon.exe.3a50ca8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.dhcpmon.exe.3a50ca8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.dhcpmon.exe.3a50ca8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.0.CV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.0.CV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.0.CV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.425e434.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.425e434.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.CV.exe.3ed0ca8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CV.exe.3ed0ca8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.CV.exe.3ed0ca8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.42595fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.42595fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.42595fe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.0.CV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.0.CV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.0.CV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.dhcpmon.exe.3b74dd0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.dhcpmon.exe.3b74dd0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CV.exe.405a1f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CV.exe.405a1f0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.dhcpmon.exe.3bda1f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.dhcpmon.exe.3bda1f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CV.exe.3ed0ca8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CV.exe.3ed0ca8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CV.exe.3ff4dd0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CV.exe.3ff4dd0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.dhcpmon.exe.3a50ca8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.dhcpmon.exe.3a50ca8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.338928504.0000000004211000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CV.exe PID: 4020, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CV.exe PID: 4020, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CV.exe PID: 360, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CV.exe PID: 360, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5628, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5628, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 7096, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 7096, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_007966F5
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_04FB48E8
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_04FB48D8
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_04FB4B30
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_04FB4B20
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_04FB0330
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_04FB0321
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_002466F5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04BA3C32
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04BA48E8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04BA48D8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04BA4B30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04BA0330
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04BA0321
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_000166F5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00A466F5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02D023A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02D02FA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02D0306F
        Source: CV.exe, 00000000.00000000.271715261.00000000007FC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSafeIsolatedStorageFileHand.exe. vs CV.exe
        Source: CV.exe, 00000000.00000002.294391346.00000000064E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs CV.exe
        Source: CV.exe, 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs CV.exe
        Source: CV.exe, 00000005.00000000.285128036.000000000067C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSafeIsolatedStorageFileHand.exe. vs CV.exe
        Source: CV.exeBinary or memory string: OriginalFilenameSafeIsolatedStorageFileHand.exe. vs CV.exe
        Source: CV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\CV.exeFile read: C:\Users\user\Desktop\CV.exeJump to behavior
        Source: CV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\CV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\CV.exe "C:\Users\user\Desktop\CV.exe"
        Source: C:\Users\user\Desktop\CV.exeProcess created: C:\Users\user\Desktop\CV.exe C:\Users\user\Desktop\CV.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
        Source: C:\Users\user\Desktop\CV.exeProcess created: C:\Users\user\Desktop\CV.exe C:\Users\user\Desktop\CV.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\CV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_065F0CBE AdjustTokenPrivileges,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_065F0C87 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\CV.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CV.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@11/6@9/3
        Source: 5.0.CV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.0.CV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.0.CV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.0.CV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.0.CV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.0.CV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.0.CV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.0.CV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.0.CV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.0.CV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\CV.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\CV.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\CV.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\CV.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\CV.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\CV.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\CV.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f4157c11-54e5-4893-8a60-6856b8471d8c}
        Source: C:\Users\user\Desktop\CV.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\CV.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: CV.exe, 00000000.00000003.278136471.000000000525D000.00000004.00000001.sdmpBinary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnt
        Source: 5.0.CV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.0.CV.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.0.CV.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.0.CV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.0.CV.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.0.CV.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.0.CV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.0.CV.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.0.CV.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\CV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: C:\Users\user\Desktop\CV.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: CV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: CV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: CV.exe, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 0.2.CV.exe.790000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 0.0.CV.exe.790000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: dhcpmon.exe.5.dr, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 5.0.CV.exe.610000.3.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 5.0.CV.exe.610000.9.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 5.0.CV.exe.610000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 5.0.CV.exe.610000.2.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 5.0.CV.exe.610000.7.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 5.0.CV.exe.610000.5.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 5.0.CV.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.CV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.CV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.CV.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.CV.exe.610000.1.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 5.0.CV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.CV.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.CV.exe.610000.11.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 5.0.CV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.CV.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.CV.exe.610000.13.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 5.0.CV.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.CV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.dhcpmon.exe.240000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 10.0.dhcpmon.exe.240000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.dhcpmon.exe.10000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.dhcpmon.exe.10000.1.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.2.dhcpmon.exe.10000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.dhcpmon.exe.10000.2.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.dhcpmon.exe.10000.3.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 12.0.dhcpmon.exe.10000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 12.2.dhcpmon.exe.10000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 12.0.dhcpmon.exe.10000.3.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_010F2F0D push edi; ret
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_010F2BC9 push eax; ret
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_010F2AC0 push ecx; ret
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_010F299D push edi; ret
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_010F2F19 push edi; ret
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_010F2D28 push eax; ret
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_010F2D7D push eax; ret
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_010F2E3C push eax; ret
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_010F2938 push edi; ret
        Source: C:\Users\user\Desktop\CV.exeCode function: 0_2_04FB8556 push ecx; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00BC2E3C push eax; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00BC2D7D push eax; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00BC2938 push edi; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00BC2D28 push eax; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00BC299D push edi; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00BC2F19 push edi; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00BC2F0D push edi; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00BC2BC9 push eax; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00BC2AC0 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_026A0AF6 push 00000002h; retn 0010h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04BA8556 push ecx; iretd
        Source: initial sampleStatic PE information: section name: .text entropy: 7.90812052873
        Source: initial sampleStatic PE information: section name: .text entropy: 7.90812052873
        Source: 5.0.CV.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.0.CV.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.0.CV.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.0.CV.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.0.CV.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.0.CV.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.0.CV.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.0.CV.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.0.CV.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.0.CV.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\CV.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\CV.exeFile opened: C:\Users\user\Desktop\CV.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 0.2.CV.exe.2e7f178.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.29ff1b8.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.290046292.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.325873810.00000000029F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.325943283.0000000002A17000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.290082065.0000000002E95000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CV.exe PID: 4020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5628, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: CV.exe, 00000000.00000002.290082065.0000000002E95000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.325873810.00000000029F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: CV.exe, 00000000.00000002.290082065.0000000002E95000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.325873810.00000000029F1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\CV.exe TID: 6272Thread sleep time: -31203s >= -30000s
        Source: C:\Users\user\Desktop\CV.exe TID: 6364Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\CV.exe TID: 6660Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\CV.exe TID: 6660Thread sleep count: 123 > 30
        Source: C:\Users\user\Desktop\CV.exe TID: 6660Thread sleep count: 40 > 30
        Source: C:\Users\user\Desktop\CV.exe TID: 6672Thread sleep count: 443 > 30
        Source: C:\Users\user\Desktop\CV.exe TID: 6660Thread sleep count: 211 > 30
        Source: C:\Users\user\Desktop\CV.exe TID: 6648Thread sleep count: 33 > 30
        Source: C:\Users\user\Desktop\CV.exe TID: 6648Thread sleep time: -660000s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5620Thread sleep time: -38122s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4508Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5608Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\CV.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\CV.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\CV.exeWindow / User API: threadDelayed 443
        Source: C:\Users\user\Desktop\CV.exeWindow / User API: foregroundWindowGot 933
        Source: C:\Users\user\Desktop\CV.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\CV.exeThread delayed: delay time: 31203
        Source: C:\Users\user\Desktop\CV.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\CV.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 38122
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: dhcpmon.exe, 0000000A.00000002.325873810.00000000029F1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
        Source: dhcpmon.exe, 0000000A.00000002.325873810.00000000029F1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 0000000A.00000002.325873810.00000000029F1000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: dhcpmon.exe, 0000000A.00000002.325873810.00000000029F1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\CV.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\CV.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\CV.exeMemory written: C:\Users\user\Desktop\CV.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\CV.exeProcess created: C:\Users\user\Desktop\CV.exe C:\Users\user\Desktop\CV.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: CV.exe, 00000005.00000003.375345059.0000000000D71000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: CV.exe, 00000005.00000003.318477579.0000000000D72000.00000004.00000001.sdmpBinary or memory string: Program ManagerX
        Source: CV.exe, 00000005.00000003.382369209.0000000000D71000.00000004.00000001.sdmpBinary or memory string: Program Managert$
        Source: CV.exe, 00000005.00000003.293775830.0000000000D72000.00000004.00000001.sdmpBinary or memory string: Program ManagerLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLIST
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\CV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.425e434.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.4262a5d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3a50ca8.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.425e434.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ed0ca8.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42595fe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3b74dd0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.405a1f0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3bda1f0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ed0ca8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ff4dd0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3a50ca8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338928504.0000000004211000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CV.exe PID: 4020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CV.exe PID: 360, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5628, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7096, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: CV.exe, 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CV.exe, 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.425e434.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.4262a5d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3a50ca8.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.425e434.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ed0ca8.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42595fe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.CV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3b74dd0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.405a1f0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3bda1f0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ed0ca8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CV.exe.3ff4dd0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.3a50ca8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338928504.0000000004211000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CV.exe PID: 4020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CV.exe PID: 360, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5628, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7096, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Masquerading2Input Capture11Security Software Discovery11Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing13/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 527613 Sample: CV.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Multi AV Scanner detection for domain / URL 2->38 40 Found malware configuration 2->40 42 9 other signatures 2->42 6 CV.exe 3 2->6         started        9 dhcpmon.exe 3 2->9         started        process3 signatures4 44 Injects a PE file into a foreign processes 6->44 11 CV.exe 1 12 6->11         started        16 dhcpmon.exe 2 9->16         started        18 dhcpmon.exe 9->18         started        20 dhcpmon.exe 9->20         started        22 WMIADAP.exe 9->22         started        process5 dnsIp6 30 dera31.ddns.net 194.85.248.250, 1187, 49742, 49743 DATACENTERRO Russian Federation 11->30 32 195.133.18.211, 1187 AS-REGRU Russian Federation 11->32 34 192.168.2.1 unknown unknown 11->34 24 C:\Program Files (x86)\...\dhcpmon.exe, PE32 11->24 dropped 26 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 11->26 dropped 28 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 11->28 dropped 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->46 file7 signatures8

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        14.0.dhcpmon.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        14.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        14.0.dhcpmon.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        14.0.dhcpmon.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.0.CV.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.0.CV.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.0.CV.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.0.CV.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        14.0.dhcpmon.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        14.0.dhcpmon.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.0.CV.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        dera31.ddns.net6%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://www.jiyu-kobo.co.jp/jp/?0%Avira URL Cloudsafe
        http://www.sajatypeworks.com20%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y0/F0%Avira URL Cloudsafe
        http://www.founder.com.cn/cnA0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp//e0%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.tiro.comA0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cny0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sajatypeworks.comaB0%Avira URL Cloudsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.chinhdo.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.founder.com.cn/cnb0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y0et0%Avira URL Cloudsafe
        http://www.tiro.comslnt0%URL Reputationsafe
        http://www.tiro.comn0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/?00%Avira URL Cloudsafe
        http://www.fontbureau.commno40%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        dera31.ddns.net0%Avira URL Cloudsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.fontbureau.comicm0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
        http://www.fontbureau.comdj0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.carterandcone.com-u0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/j0%URL Reputationsafe
        http://www.founder.com.cn/cn&0%URL Reputationsafe
        http://www.tiro.comic0%URL Reputationsafe
        195.133.18.2110%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/talic0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        dera31.ddns.net
        194.85.248.250
        truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        dera31.ddns.nettrue
        • Avira URL Cloud: safe
        unknown
        195.133.18.211true
        • Avira URL Cloud: safe
        unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.jiyu-kobo.co.jp/jp/?CV.exe, 00000000.00000003.275276545.000000000525D000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.fontbureau.com/designersGCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
          high
          http://www.sajatypeworks.com2CV.exe, 00000000.00000003.272654599.000000000526B000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          unknown
          http://www.fontbureau.com/designers/?CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
            high
            http://www.founder.com.cn/cn/bTheCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            unknown
            http://www.fontbureau.com/designers/cabarga.htmlb-nCV.exe, 00000000.00000003.278173438.000000000527D000.00000004.00000001.sdmpfalse
              high
              http://www.fontbureau.com/designers?CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                high
                http://www.jiyu-kobo.co.jp/Y0/FCV.exe, 00000000.00000003.275276545.000000000525D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.founder.com.cn/cnACV.exe, 00000000.00000003.273839413.0000000005259000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.tiro.comCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmp, CV.exe, 00000000.00000003.274272795.000000000528D000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.jiyu-kobo.co.jp//eCV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.fontbureau.com/designersCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                  high
                  http://www.goodfont.co.krCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.carterandcone.comCV.exe, 00000000.00000003.274789605.0000000005252000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.tiro.comACV.exe, 00000000.00000003.274737881.0000000005260000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.sajatypeworks.comCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmp, CV.exe, 00000000.00000003.272654599.000000000526B000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.typography.netDCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.founder.com.cn/cn/cTheCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.galapagosdesign.com/staff/dennis.htmCV.exe, 00000000.00000003.279788089.000000000527E000.00000004.00000001.sdmp, CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://fontfabrik.comCV.exe, 00000000.00000003.273349193.0000000005252000.00000004.00000001.sdmp, CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.founder.com.cn/cnyCV.exe, 00000000.00000003.273839413.0000000005259000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/-CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.galapagosdesign.com/DPleaseCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/Y0CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fonts.comCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                    high
                    http://www.sandoll.co.krCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.sajatypeworks.comaBCV.exe, 00000000.00000003.272654599.000000000526B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.urwpp.deDPleaseCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.zhongyicts.com.cnCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.chinhdo.comdhcpmon.exe, 0000000A.00000002.330203644.0000000007950000.00000004.00020000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.sakkal.comCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.founder.com.cn/cnbCV.exe, 00000000.00000003.274113146.0000000005252000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.apache.org/licenses/LICENSE-2.0CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                      high
                      http://www.fontbureau.comCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                        high
                        http://www.jiyu-kobo.co.jp/XCV.exe, 00000000.00000003.275276545.000000000525D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.comFCV.exe, 00000000.00000003.278136471.000000000525D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/Y0etCV.exe, 00000000.00000003.274992799.000000000525F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.tiro.comslntCV.exe, 00000000.00000003.274767525.000000000525B000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/cabarga.htmlvCV.exe, 00000000.00000003.278173438.000000000527D000.00000004.00000001.sdmpfalse
                          high
                          http://www.tiro.comnCV.exe, 00000000.00000003.274825775.000000000528E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/?0CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.commno4CV.exe, 00000000.00000002.294305055.000000000525C000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/jp/CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.comaCV.exe, 00000000.00000002.294305055.000000000525C000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.comicmCV.exe, 00000000.00000002.294305055.000000000525C000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/?CV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.comdjCV.exe, 00000000.00000003.278136471.000000000525D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.carterandcone.comlCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNCV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                            high
                            http://www.founder.com.cn/cnCV.exe, 00000000.00000003.274113146.0000000005252000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlCV.exe, 00000000.00000003.277704375.000000000527E000.00000004.00000001.sdmp, CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                              high
                              http://www.jiyu-kobo.co.jp/CV.exe, 00000000.00000003.275276545.000000000525D000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.com-uCV.exe, 00000000.00000003.274789605.0000000005252000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.com/designers8CV.exe, 00000000.00000002.294425809.0000000006512000.00000004.00000001.sdmpfalse
                                high
                                http://www.jiyu-kobo.co.jp/jCV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cn&CV.exe, 00000000.00000003.274113146.0000000005252000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.tiro.comicCV.exe, 00000000.00000003.274767525.000000000525B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.jiyu-kobo.co.jp/talicCV.exe, 00000000.00000003.275120294.000000000525D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                195.133.18.211
                                unknownRussian Federation
                                197695AS-REGRUtrue
                                194.85.248.250
                                dera31.ddns.netRussian Federation
                                35478DATACENTERROtrue

                                Private

                                IP
                                192.168.2.1

                                General Information

                                Joe Sandbox Version:34.0.0 Boulder Opal
                                Analysis ID:527613
                                Start date:24.11.2021
                                Start time:03:42:08
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 10m 20s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:CV.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:27
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@11/6@9/3
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 1% (good quality ratio 0.8%)
                                • Quality average: 36.2%
                                • Quality standard deviation: 21.6%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • TCP Packets have been reduced to 100
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 23.211.4.86
                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                03:43:01API Interceptor931x Sleep call for process: CV.exe modified
                                03:43:06AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                03:43:16API Interceptor1x Sleep call for process: dhcpmon.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                195.133.18.211circular_11_17_21.exeGet hashmaliciousBrowse
                                  Bank Report.exeGet hashmaliciousBrowse
                                    cliff.kuhfeldt's CV.exeGet hashmaliciousBrowse
                                      Jessica Ohnesorge'CV.exeGet hashmaliciousBrowse
                                        Change Of Registration Form.exeGet hashmaliciousBrowse
                                          Payment invoice.exeGet hashmaliciousBrowse
                                            Wire Transfer Slip.exeGet hashmaliciousBrowse
                                              Advise.exeGet hashmaliciousBrowse
                                                Bank Report.exeGet hashmaliciousBrowse
                                                  N5HlpHINh2.exeGet hashmaliciousBrowse
                                                    BL draft.exeGet hashmaliciousBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      dera31.ddns.netcircular_11_17_21.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      Bank Report.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      cliff.kuhfeldt's CV.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      Jessica Ohnesorge'CV.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      Change Of Registration Form.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      Payment invoice.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      Wire Transfer Slip.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      Advise.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      Bank Report.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      N5HlpHINh2.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      BL draft.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      AS-REGRUwnRWWNwExD.exeGet hashmaliciousBrowse
                                                      • 194.58.112.165
                                                      o3j25D1Pg1.exeGet hashmaliciousBrowse
                                                      • 195.133.18.66
                                                      PjvBTyWpg6.exeGet hashmaliciousBrowse
                                                      • 31.31.196.67
                                                      Ez6r9fZIXc.exeGet hashmaliciousBrowse
                                                      • 37.140.192.43
                                                      PURCHASE ORDER.docGet hashmaliciousBrowse
                                                      • 194.58.112.174
                                                      circular_11_17_21.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      Bank Report.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      6iXle7QJdI.exeGet hashmaliciousBrowse
                                                      • 194.87.206.125
                                                      cliff.kuhfeldt's CV.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      D3mOH96307.exeGet hashmaliciousBrowse
                                                      • 194.87.206.125
                                                      05hZwJ8NB7Get hashmaliciousBrowse
                                                      • 193.124.16.215
                                                      EC833E37264C772DE689338F22B307BC864390E62D1CD.exeGet hashmaliciousBrowse
                                                      • 31.31.198.18
                                                      Jessica Ohnesorge'CV.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      Change Of Registration Form.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      #U0401XCEL.xlamGet hashmaliciousBrowse
                                                      • 31.31.198.180
                                                      #U0401XCEL.xlamGet hashmaliciousBrowse
                                                      • 31.31.198.180
                                                      Payment invoice.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      tt copy 200393903.exeGet hashmaliciousBrowse
                                                      • 194.58.112.174
                                                      Wire Transfer Slip.exeGet hashmaliciousBrowse
                                                      • 195.133.18.211
                                                      yaflq3D6ftGet hashmaliciousBrowse
                                                      • 195.133.18.213
                                                      DATACENTERROTMR590241368.exeGet hashmaliciousBrowse
                                                      • 194.85.248.115
                                                      vIyyHkRXJnGet hashmaliciousBrowse
                                                      • 194.85.250.154
                                                      267A80yAhpGet hashmaliciousBrowse
                                                      • 194.85.250.154
                                                      QJYxAALd23Get hashmaliciousBrowse
                                                      • 194.85.250.154
                                                      z4bJfjXDDQGet hashmaliciousBrowse
                                                      • 194.85.250.154
                                                      XXaLHoecGpGet hashmaliciousBrowse
                                                      • 194.85.250.154
                                                      AGiCic4uDzGet hashmaliciousBrowse
                                                      • 194.85.250.154
                                                      3B3BMxYG8nGet hashmaliciousBrowse
                                                      • 194.85.250.154
                                                      6WMo1OYmk3Get hashmaliciousBrowse
                                                      • 194.85.250.154
                                                      dycuTng5W8Get hashmaliciousBrowse
                                                      • 194.85.250.154
                                                      xINX4f5M8sGet hashmaliciousBrowse
                                                      • 194.85.250.154
                                                      SSIuSyaBAFGet hashmaliciousBrowse
                                                      • 194.85.250.154
                                                      IMG600094173852.exeGet hashmaliciousBrowse
                                                      • 194.85.248.115
                                                      cdQc14SeRuGet hashmaliciousBrowse
                                                      • 194.85.248.128
                                                      t5dIUw7hghGet hashmaliciousBrowse
                                                      • 194.85.248.128
                                                      9hYMlirC3xGet hashmaliciousBrowse
                                                      • 194.85.248.128
                                                      qd7I0rgtfUGet hashmaliciousBrowse
                                                      • 194.85.248.128
                                                      aKU4GDKdTZGet hashmaliciousBrowse
                                                      • 194.85.248.128
                                                      oGszHCs1c7Get hashmaliciousBrowse
                                                      • 194.85.248.128
                                                      8xj3h1p4URGet hashmaliciousBrowse
                                                      • 194.85.248.128

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Process:C:\Users\user\Desktop\CV.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):431104
                                                      Entropy (8bit):7.8927039026454215
                                                      Encrypted:false
                                                      SSDEEP:6144:EimL+T2bm+Ds2n+/10GrM2cwktwooxz6MuDHWfqvfNP80/lg82D6F2:7Q5yDY+/1tcwYa6HD7vfa0tP5A
                                                      MD5:DE2D175988E8D0E1D9C37482FB37C66C
                                                      SHA1:D4E7BACEA5B7EE3DEB72F73CFF98B286661F612E
                                                      SHA-256:37649A092C0AD878F4FB8D8578C2E7CA110360BA1575E0697BAF1EFA8E5CB409
                                                      SHA-512:A9B300CDDDCA05FF8235DEFD5718C4F491D94F2F8840DBDA81E874C69AB2049E082177E439B2A3AAC5AC1D3BC214B038F4E38FE454CE57077DE25220BBE2E5A1
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..a..............0.................. ........@.. ....................................@.................................X...O.................................................................................... ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`...C......n...x................................................0..7........r...p(.....s..........+..........X....i2..o......+...*..0...........r...p..(......9.......(.....s.....s................8..............-...o.....1...o.....]...+......,....o...........,...o.......+......,%...o...........,.....o....o............,...o.......+......,......o..........X.......i?W.....o......8......( ............,.....o....,.....o.....]...+......,....o!...&........+3..........o......
                                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\CV.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CV.exe.log
                                                      Process:C:\Users\user\Desktop\CV.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):525
                                                      Entropy (8bit):5.2874233355119316
                                                      Encrypted:false
                                                      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                      MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):525
                                                      Entropy (8bit):5.2874233355119316
                                                      Encrypted:false
                                                      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                      MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                      Process:C:\Users\user\Desktop\CV.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):232
                                                      Entropy (8bit):7.117516745217376
                                                      Encrypted:false
                                                      SSDEEP:6:X4LDAnybgCFcpJSQwP4d7V9Nhyleajl0fuONKcpMe5i:X4LEnybgCFCtvd7V9NYRj+GONKaMv
                                                      MD5:CF55DF705B79F961ED069D8E84D2AF1C
                                                      SHA1:574CDF36753CF356A25872BCCAA3CC6FFCD5D23F
                                                      SHA-256:DF982E10764D21FCB1469EB6EA1175AC69544C68900B0DD8C79A0FE8A8F300F5
                                                      SHA-512:518A037DF1D6FBC8A296DA5B96B67E073FB1F674090AFE3243E52A65B169DE35FC041C2C05F7EEF9EC74A0100A422E53B3D7D920E5ADF6CE42B82FE94244F5DE
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL...Q.F...@.h.......y.[....e..<..n....B...PP...azZ).~..Uj.>..H.b.O..AX.E.S&.O.k.3O'.Lge...$..teI....Hw.CT.].Z.
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                      Process:C:\Users\user\Desktop\CV.exe
                                                      File Type:Non-ISO extended-ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):8
                                                      Entropy (8bit):3.0
                                                      Encrypted:false
                                                      SSDEEP:3:gcntn:g4t
                                                      MD5:09C4C91F5364F32EF3A66B193BEA2356
                                                      SHA1:FA2B1407EB49037BD09F6ABBC2246412EEAF2E68
                                                      SHA-256:AB67530DE412585A0B18BECBF5502466C563397A87E30429D52ED39EBC575A4D
                                                      SHA-512:391C5AD23773CC4F6F49AC77231C5E9EE198857B4559E5FF75B0CA44640792F0E23BA67B241F8E7B7AB61B3641DD748941A42930A5A034C74667864E28548FD6
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: r.D.?..H

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.8927039026454215
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:CV.exe
                                                      File size:431104
                                                      MD5:de2d175988e8d0e1d9c37482fb37c66c
                                                      SHA1:d4e7bacea5b7ee3deb72f73cff98b286661f612e
                                                      SHA256:37649a092c0ad878f4fb8d8578c2e7ca110360ba1575e0697baf1efa8e5cb409
                                                      SHA512:a9b300cdddca05ff8235defd5718c4f491d94f2f8840dbda81e874c69ab2049e082177e439b2a3aac5ac1d3bc214b038f4e38fe454ce57077de25220bbe2e5a1
                                                      SSDEEP:6144:EimL+T2bm+Ds2n+/10GrM2cwktwooxz6MuDHWfqvfNP80/lg82D6F2:7Q5yDY+/1tcwYa6HD7vfa0tP5A
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..a..............0.................. ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:00828e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x46a5aa
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x619D974F [Wed Nov 24 01:37:19 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v2.0.50727
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add dword ptr [ecx], eax
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add dword ptr [ecx], eax
                                                      add dword ptr [ecx], eax
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add dword ptr [ecx], eax
                                                      add byte ptr [ecx], al
                                                      add dword ptr [eax], eax
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add dword ptr [ecx], eax
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add dword ptr [eax], eax
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add byte ptr [ecx], al
                                                      add dword ptr [ecx], eax
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add dword ptr [eax], eax
                                                      add byte ptr [ecx], al
                                                      add dword ptr [ecx], eax
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      aas
                                                      add byte ptr [eax], al
                                                      add byte ptr [esi], cl
                                                      add byte ptr [eax], al
                                                      add byte ptr [edx+08h], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add dword ptr [eax], eax
                                                      add byte ptr [ecx], al
                                                      add dword ptr [eax], eax
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6a5580x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x610.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x6e0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x686300x68800False0.920347076854PGP symmetric key encrypted data - Plaintext or unencrypted data7.90812052873IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x6c0000x6100x800False0.33154296875data3.42607921431IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x6e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_VERSION0x6c0900x380data
                                                      RT_MANIFEST0x6c4200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright Microsoft 2011
                                                      Assembly Version1.0.0.0
                                                      InternalNameSafeIsolatedStorageFileHand.exe
                                                      FileVersion1.0.0.0
                                                      CompanyNameMicrosoft
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameTetris
                                                      ProductVersion1.0.0.0
                                                      FileDescriptionTetris
                                                      OriginalFilenameSafeIsolatedStorageFileHand.exe

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      11/24/21-03:43:08.212325UDP254DNS SPOOF query response with TTL of 1 min. and no authority53574598.8.8.8192.168.2.3
                                                      11/24/21-03:43:11.559225TCP2025019ET TROJAN Possible NanoCore C2 60B497421187192.168.2.3194.85.248.250
                                                      11/24/21-03:43:19.257828TCP2025019ET TROJAN Possible NanoCore C2 60B497431187192.168.2.3194.85.248.250
                                                      11/24/21-03:43:24.104401UDP254DNS SPOOF query response with TTL of 1 min. and no authority53528068.8.8.8192.168.2.3
                                                      11/24/21-03:43:43.590776UDP254DNS SPOOF query response with TTL of 1 min. and no authority53539108.8.8.8192.168.2.3
                                                      11/24/21-03:43:43.622080TCP2025019ET TROJAN Possible NanoCore C2 60B497471187192.168.2.3194.85.248.250
                                                      11/24/21-03:43:50.997879TCP2025019ET TROJAN Possible NanoCore C2 60B497631187192.168.2.3194.85.248.250
                                                      11/24/21-03:43:57.357526TCP2025019ET TROJAN Possible NanoCore C2 60B497861187192.168.2.3194.85.248.250
                                                      11/24/21-03:44:06.603088TCP2025019ET TROJAN Possible NanoCore C2 60B497881187192.168.2.3194.85.248.250
                                                      11/24/21-03:44:11.301772TCP2025019ET TROJAN Possible NanoCore C2 60B497941187192.168.2.3194.85.248.250
                                                      11/24/21-03:44:17.806794UDP254DNS SPOOF query response with TTL of 1 min. and no authority53537778.8.8.8192.168.2.3
                                                      11/24/21-03:44:20.840746TCP2025019ET TROJAN Possible NanoCore C2 60B497991187192.168.2.3194.85.248.250

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 24, 2021 03:43:08.228368998 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:11.229768991 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:11.257205009 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:11.257388115 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:11.559225082 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:11.598041058 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:11.605638981 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:11.615094900 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:11.885962963 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:11.938107014 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:11.960104942 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:12.229819059 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:12.542372942 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:12.570508003 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:12.570669889 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:12.610069990 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:12.611737967 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:12.686796904 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:12.688307047 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:12.716437101 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:12.716687918 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:12.744748116 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:12.745721102 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:12.777863026 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.012320995 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.012567997 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.012599945 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.040729046 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.040767908 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.041172981 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.053162098 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.053352118 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.346338034 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.346556902 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.349673033 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.375209093 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.375256062 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.375442028 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.397308111 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.403697014 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.403842926 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.432209015 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.432398081 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.470074892 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.703352928 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.703713894 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.732023954 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.732083082 CET118749742194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:13.732301950 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:13.732348919 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:14.498286963 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:14.730793953 CET497421187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:19.227686882 CET497431187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:19.257054090 CET118749743194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:19.257229090 CET497431187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:19.257827997 CET497431187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:19.511636019 CET497431187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:19.539818048 CET118749743194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:19.539896011 CET497431187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:19.590368032 CET497431187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:19.616215944 CET118749743194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:19.616367102 CET497431187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:19.809493065 CET497431187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:24.105729103 CET497461187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:27.106117964 CET497461187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:33.106533051 CET497461187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:43.592745066 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:43.621320009 CET118749747194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:43.621468067 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:43.622080088 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:43.873128891 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:43.953313112 CET118749747194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:43.962455988 CET118749747194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:43.963309050 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:43.992223024 CET118749747194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:43.998444080 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:44.248075962 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:44.560730934 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:44.589870930 CET118749747194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:44.608331919 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:44.857610941 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:45.135390997 CET118749746194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:45.170051098 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:45.592786074 CET497471187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:50.957813025 CET497631187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:50.986469984 CET118749763194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:50.986578941 CET497631187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:50.997879028 CET497631187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:51.061791897 CET118749763194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:51.062082052 CET497631187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:51.097136974 CET118749763194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:51.139285088 CET497631187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:51.155265093 CET497631187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:51.233374119 CET118749763194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:51.233453989 CET497631187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:51.498684883 CET497631187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:51.617244005 CET118749763194.85.248.250192.168.2.3
                                                      Nov 24, 2021 03:43:51.617335081 CET497631187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:51.617363930 CET497631187192.168.2.3194.85.248.250
                                                      Nov 24, 2021 03:43:51.645592928 CET118749763194.85.248.250192.168.2.3

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 24, 2021 03:43:08.191291094 CET5745953192.168.2.38.8.8.8
                                                      Nov 24, 2021 03:43:08.212325096 CET53574598.8.8.8192.168.2.3
                                                      Nov 24, 2021 03:43:19.204021931 CET5787553192.168.2.38.8.8.8
                                                      Nov 24, 2021 03:43:19.226371050 CET53578758.8.8.8192.168.2.3
                                                      Nov 24, 2021 03:43:24.082745075 CET5280653192.168.2.38.8.8.8
                                                      Nov 24, 2021 03:43:24.104401112 CET53528068.8.8.8192.168.2.3
                                                      Nov 24, 2021 03:43:43.569127083 CET5391053192.168.2.38.8.8.8
                                                      Nov 24, 2021 03:43:43.590775967 CET53539108.8.8.8192.168.2.3
                                                      Nov 24, 2021 03:43:50.935333967 CET5652753192.168.2.38.8.8.8
                                                      Nov 24, 2021 03:43:50.955516100 CET53565278.8.8.8192.168.2.3
                                                      Nov 24, 2021 03:43:57.308087111 CET6329753192.168.2.38.8.8.8
                                                      Nov 24, 2021 03:43:57.327816963 CET53632978.8.8.8192.168.2.3
                                                      Nov 24, 2021 03:44:03.538379908 CET5836153192.168.2.38.8.8.8
                                                      Nov 24, 2021 03:44:03.558403015 CET53583618.8.8.8192.168.2.3
                                                      Nov 24, 2021 03:44:11.241858959 CET5072853192.168.2.38.8.8.8
                                                      Nov 24, 2021 03:44:11.262809038 CET53507288.8.8.8192.168.2.3
                                                      Nov 24, 2021 03:44:17.786855936 CET5377753192.168.2.38.8.8.8
                                                      Nov 24, 2021 03:44:17.806793928 CET53537778.8.8.8192.168.2.3

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Nov 24, 2021 03:43:08.191291094 CET192.168.2.38.8.8.80x1cd2Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:43:19.204021931 CET192.168.2.38.8.8.80x66acStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:43:24.082745075 CET192.168.2.38.8.8.80x6587Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:43:43.569127083 CET192.168.2.38.8.8.80x6966Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:43:50.935333967 CET192.168.2.38.8.8.80x9bdStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:43:57.308087111 CET192.168.2.38.8.8.80x46eStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:44:03.538379908 CET192.168.2.38.8.8.80xa1bfStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:44:11.241858959 CET192.168.2.38.8.8.80x9e71Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:44:17.786855936 CET192.168.2.38.8.8.80x8b0aStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Nov 24, 2021 03:43:08.212325096 CET8.8.8.8192.168.2.30x1cd2No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:43:19.226371050 CET8.8.8.8192.168.2.30x66acNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:43:24.104401112 CET8.8.8.8192.168.2.30x6587No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:43:43.590775967 CET8.8.8.8192.168.2.30x6966No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:43:50.955516100 CET8.8.8.8192.168.2.30x9bdNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:43:57.327816963 CET8.8.8.8192.168.2.30x46eNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:44:03.558403015 CET8.8.8.8192.168.2.30xa1bfNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:44:11.262809038 CET8.8.8.8192.168.2.30x9e71No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                                                      Nov 24, 2021 03:44:17.806793928 CET8.8.8.8192.168.2.30x8b0aNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)

                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Start time:03:42:56
                                                      Start date:24/11/2021
                                                      Path:C:\Users\user\Desktop\CV.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\CV.exe"
                                                      Imagebase:0x790000
                                                      File size:431104 bytes
                                                      MD5 hash:DE2D175988E8D0E1D9C37482FB37C66C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.290046292.0000000002E71000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.290082065.0000000002E95000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.291903839.0000000003E71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:low

                                                      General

                                                      Start time:03:43:02
                                                      Start date:24/11/2021
                                                      Path:C:\Users\user\Desktop\CV.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\CV.exe
                                                      Imagebase:0x610000
                                                      File size:431104 bytes
                                                      MD5 hash:DE2D175988E8D0E1D9C37482FB37C66C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.287075484.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.287499193.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.288052990.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.286632471.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:low

                                                      General

                                                      Start time:03:43:15
                                                      Start date:24/11/2021
                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                                      Imagebase:0x240000
                                                      File size:431104 bytes
                                                      MD5 hash:DE2D175988E8D0E1D9C37482FB37C66C
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.325873810.00000000029F1000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.328775816.00000000039F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.325943283.0000000002A17000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      General

                                                      Start time:03:43:16
                                                      Start date:24/11/2021
                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Imagebase:0x10000
                                                      File size:431104 bytes
                                                      MD5 hash:DE2D175988E8D0E1D9C37482FB37C66C
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low

                                                      General

                                                      Start time:03:43:17
                                                      Start date:24/11/2021
                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Imagebase:0x10000
                                                      File size:431104 bytes
                                                      MD5 hash:DE2D175988E8D0E1D9C37482FB37C66C
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low

                                                      General

                                                      Start time:03:43:19
                                                      Start date:24/11/2021
                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Imagebase:0xa40000
                                                      File size:431104 bytes
                                                      MD5 hash:DE2D175988E8D0E1D9C37482FB37C66C
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.323309609.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.322328292.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.338892529.0000000003211000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.338928504.0000000004211000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.338928504.0000000004211000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.322810858.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.323801739.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.338247555.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:low

                                                      General

                                                      Start time:03:45:01
                                                      Start date:24/11/2021
                                                      Path:C:\Windows\System32\wbem\WMIADAP.exe
                                                      Wow64 process (32bit):
                                                      Commandline:wmiadap.exe /F /T /R
                                                      Imagebase:
                                                      File size:177664 bytes
                                                      MD5 hash:9783D0765F31980950445DFD40DB15DA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >