Loading ...

Play interactive tourEdit tour

Analysis Report NEW ORDER_8876630.exe

Overview

General Information

Sample Name:NEW ORDER_8876630.exe
Analysis ID:320333
MD5:1745bf7233bdb5b42fba4517363b258f
SHA1:826f6dcbbe56fa62b3894f52c5ab18fd009930e2
SHA256:33d2ce58e713daa6aeae2d712dfbdac9e7f431df73c969f0c70afa75b56f1ab9
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore AveMaria MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected AveMaria stealer
Yara detected MailPassView
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NEW ORDER_8876630.exe (PID: 6164 cmdline: 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • schtasks.exe (PID: 6444 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • NEW ORDER_8876630.exe (PID: 5852 cmdline: {path} MD5: 1745BF7233BDB5B42FBA4517363B258F)
      • schtasks.exe (PID: 6624 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6156 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vbc.exe (PID: 5876 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\3agbefca.z1h' MD5: B3A917344F5610BEEC562556F11300FA)
      • vbc.exe (PID: 5796 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh' MD5: B3A917344F5610BEEC562556F11300FA)
      • vbc.exe (PID: 5776 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh' MD5: B3A917344F5610BEEC562556F11300FA)
  • NEW ORDER_8876630.exe (PID: 6852 cmdline: 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' 0 MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • schtasks.exe (PID: 6672 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6900 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 1745BF7233BDB5B42FBA4517363B258F)
  • dhcpmon.exe (PID: 4088 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • schtasks.exe (PID: 6916 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6508 cmdline: {path} MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • dhcpmon.exe (PID: 4928 cmdline: {path} MD5: 1745BF7233BDB5B42FBA4517363B258F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x561e7:$a: NanoCore
    • 0x562d1:$a: NanoCore
    • 0x57148:$a: NanoCore
    • 0x602f2:$a: NanoCore
    • 0x60353:$a: NanoCore
    • 0x60396:$a: NanoCore
    • 0x603d6:$a: NanoCore
    • 0x60612:$a: NanoCore
    • 0x606b2:$a: NanoCore
    • 0x60e8a:$a: NanoCore
    • 0x6147d:$a: NanoCore
    • 0x615ce:$a: NanoCore
    • 0x62428:$a: NanoCore
    • 0x6268f:$a: NanoCore
    • 0x626a4:$a: NanoCore
    • 0x626c3:$a: NanoCore
    • 0x6b5c6:$a: NanoCore
    • 0x6b5ef:$a: NanoCore
    • 0x77368:$a: NanoCore
    • 0x77391:$a: NanoCore
    • 0x9c254:$a: NanoCore
    00000009.00000002.924508392.0000000007CDF000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 99 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x5b99:$x1: NanoCore.ClientPluginHost
          • 0x5bb3:$x2: IClientNetworkHost
          9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0x5b99:$x2: NanoCore.ClientPluginHost
          • 0x6bce:$s4: PipeCreated
          • 0x5b86:$s5: IClientLoggingHost
          9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1f1db:$x1: NanoCore.ClientPluginHost
          • 0x1f1f5:$x2: IClientNetworkHost
          9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0x1f1db:$x2: NanoCore.ClientPluginHost
          • 0x22518:$s4: PipeCreated
          • 0x1f1c8:$s5: IClientLoggingHost
          9.2.NEW ORDER_8876630.exe.6100000.9.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1deb:$x1: NanoCore.ClientPluginHost
          • 0x1e24:$x2: IClientNetworkHost
          Click to see the 63 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NEW ORDER_8876630.exe, ProcessId: 5852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' , ParentImage: C:\Users\user\Desktop\NEW ORDER_8876630.exe, ParentProcessId: 6164, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp', ProcessId: 6444

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeReversingLabs: Detection: 41%
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeReversingLabs: Detection: 41%
          Multi AV Scanner detection for submitted fileShow sources
          Source: NEW ORDER_8876630.exeVirustotal: Detection: 49%Perma Link
          Source: NEW ORDER_8876630.exeVirustotal: Detection: 49%Perma Link
          Yara detected AveMaria stealerShow sources
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.919477191.0000000003DD7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917813976.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORY
          Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: NEW ORDER_8876630.exeJoe Sandbox ML: detected
          Source: NEW ORDER_8876630.exeJoe Sandbox ML: detected
          Source: 28.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 28.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: global trafficTCP traffic: 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: global trafficTCP traffic: 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: NEW ORDER_8876630.exe, NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.670733862.0000000002721000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5e
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?oci
          Source: vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.865177744.0000000000994000.00000004.00000010.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, btuqens4.sdh.36.dr, 3agbefca.z1h.34.drString found in binary or memory: http://www.nirsoft.net/
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/staticY
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/favicon.ico
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/LMEMx
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=F
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=we
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: NEW ORDER_8876630.exe, NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.670733862.0000000002721000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5e
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?oci
          Source: vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.865177744.0000000000994000.00000004.00000010.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, btuqens4.sdh.36.dr, 3agbefca.z1h.34.drString found in binary or memory: http://www.nirsoft.net/
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/staticY
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/favicon.ico
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/LMEMx
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=F
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=we
          Source: dhcpmon.exe, 0000000F.00000002.693277110.0000000000E88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: dhcpmon.exe, 0000000F.00000002.693277110.0000000000E88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices