IOC Report

loading gif

Files

File Path
Type
Category
Malicious
INV.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INV.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
Non-ISO extended-ASCII text, with no line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
data
dropped
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
data
modified
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
data
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\INV.exe
"C:\Users\user\Desktop\INV.exe"
malicious
C:\Users\user\Desktop\INV.exe
C:\Users\user\Desktop\INV.exe
malicious
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
malicious
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
malicious

URLs

Name
IP
Malicious
dera31.ddns.net
malicious
195.133.18.211
malicious
http://www.apache.org/licenses/LICENSE-2.0
unknown
clean
http://www.fontbureau.com
unknown
clean
http://www.fontbureau.com/designersG
unknown
clean
http://www.fontbureau.com/designers/?
unknown
clean
http://www.founder.com.cn/cn/bThe
unknown
clean
http://www.fontbureau.com/designers?
unknown
clean
http://www.tiro.com
unknown
clean
http://www.fontbureau.com/designers
unknown
clean
http://www.goodfont.co.kr
unknown
clean
http://www.carterandcone.coml
unknown
clean
http://www.sajatypeworks.com
unknown
clean
http://www.typography.netD
unknown
clean
http://www.fontbureau.com/designers/cabarga.htmlN
unknown
clean
http://www.founder.com.cn/cn/cThe
unknown
clean
http://www.galapagosdesign.com/staff/dennis.htm
unknown
clean
http://fontfabrik.com
unknown
clean
http://www.founder.com.cn/cn
unknown
clean
http://www.fontbureau.com/designers/frere-jones.html
unknown
clean
http://www.fontbureau.comm
unknown
clean
http://www.jiyu-kobo.co.jp/
unknown
clean
http://www.galapagosdesign.com/DPlease
unknown
clean
http://www.fontbureau.com/designers8
unknown
clean
http://www.fontbureau.comgrito
unknown
clean
http://www.fonts.com
unknown
clean
http://www.sandoll.co.kr
unknown
clean
http://www.urwpp.deDPlease
unknown
clean
http://www.zhongyicts.com.cn
unknown
clean
http://www.chinhdo.com
unknown
clean
http://www.sakkal.com
unknown
clean
There are 21 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
dera31.ddns.net
194.85.248.250
malicious

IPs

IP
Domain
Country
Malicious
194.85.248.250
dera31.ddns.net
Russian Federation
malicious
192.168.2.1
unknown
unknown
clean

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
DHCP Monitor
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
2FE1000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
3FE9000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
3A89000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
4369000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
2A81000
unkown
page read and write
malicious
3361000
unkown
page read and write
malicious