Loading ...

Play interactive tourEdit tour

Windows Analysis Report 09142021_PDF.vbs

Overview

General Information

Sample Name:09142021_PDF.vbs
Analysis ID:483646
MD5:4a638d451c40bc23491a0c79b6561d29
SHA1:5caa98e6150e72cff32549541ab937cc952b769c
SHA256:62e85b9481efe0bb5921277ce40acb236dba44be1bbe8bab2be8068eef10c341
Tags:NanoCoreRATvbs
Infos:

Most interesting Screenshot:

Detection

Nanocore AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Sigma detected: NanoCore
VBScript performs obfuscated calls to suspicious functions
Yara detected AntiVM3
Detected Nanocore Rat
Sigma detected: MSBuild connects to smtp port
Antivirus detection for dropped file
Yara detected Nanocore RAT
Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Injects files into Windows application
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains strange resources
Drops PE files
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Contains functionality to call native functions
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7012 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\09142021_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • Notepad.exe (PID: 3664 cmdline: 'C:\Users\user\AppData\Local\Temp\Notepad.exe' MD5: 033B15C82C1F08143DA87E0F4D1AD9BC)
      • MSBuild.exe (PID: 5480 cmdline: {path} MD5: 88BBB7610152B48C2B3879473B17857E)
    • Chrome.exe (PID: 5276 cmdline: 'C:\Users\user\AppData\Local\Temp\Chrome.exe' MD5: A9C24A18FBD231939EB608A7A2087A49)
  • dhcpmon.exe (PID: 6560 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A9C24A18FBD231939EB608A7A2087A49)
  • hmltog.exe (PID: 4328 cmdline: 'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe' MD5: 88BBB7610152B48C2B3879473B17857E)
    • conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • hmltog.exe (PID: 3728 cmdline: 'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe' MD5: 88BBB7610152B48C2B3879473B17857E)
    • conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "de7e01ad-963b-4e14-81aa-08dfb351", "Group": "Do", "Domain1": "sys2021.linkpc.net", "Domain2": "23.94.82.41", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@quanturnvia.com", "Password": "info", "Host": "mail.quanturnvia.com"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Chrome.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\AppData\Local\Temp\Chrome.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
C:\Users\user\AppData\Local\Temp\Chrome.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    C:\Users\user\AppData\Local\Temp\Chrome.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 3 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0x23ba3:$a: NanoCore
          • 0x23bfc:$a: NanoCore
          • 0x23c39:$a: NanoCore
          • 0x23cb2:$a: NanoCore
          • 0x23c05:$b: ClientPlugin
          • 0x23c42:$b: ClientPlugin
          • 0x24540:$b: ClientPlugin
          • 0x2454d:$b: ClientPlugin
          • 0x1b3f2:$e: KeepAlive
          • 0x2408d:$g: LogClientMessage
          • 0x2400d:$i: get_Connected
          • 0x15bd5:$j: #=q
          • 0x15c05:$j: #=q
          • 0x15c41:$j: #=q
          • 0x15c69:$j: #=q
          • 0x15c99:$j: #=q
          • 0x15cc9:$j: #=q
          • 0x15cf9:$j: #=q
          • 0x15d29:$j: #=q
          • 0x15d45:$j: #=q
          • 0x15d75:$j: #=q
          0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 38 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.3.wscript.exe.2756be19830.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0x1018d:$x1: NanoCore.ClientPluginHost
            • 0x101ca:$x2: IClientNetworkHost
            • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            1.3.wscript.exe.2756be19830.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xff05:$x1: NanoCore Client.exe
            • 0x1018d:$x2: NanoCore.ClientPluginHost
            • 0x117c6:$s1: PluginCommand
            • 0x117ba:$s2: FileCommand
            • 0x1266b:$s3: PipeExists
            • 0x18422:$s4: PipeCreated
            • 0x101b7:$s5: IClientLoggingHost
            1.3.wscript.exe.2756be19830.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              1.3.wscript.exe.2756be19830.4.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0xfef5:$a: NanoCore
              • 0xff05:$a: NanoCore
              • 0x10139:$a: NanoCore
              • 0x1014d:$a: NanoCore
              • 0x1018d:$a: NanoCore
              • 0xff54:$b: ClientPlugin
              • 0x10156:$b: ClientPlugin
              • 0x10196:$b: ClientPlugin
              • 0x1007b:$c: ProjectData
              • 0x10a82:$d: DESCrypto
              • 0x1844e:$e: KeepAlive
              • 0x1643c:$g: LogClientMessage
              • 0x12637:$i: get_Connected
              • 0x10db8:$j: #=q
              • 0x10de8:$j: #=q
              • 0x10e04:$j: #=q
              • 0x10e34:$j: #=q
              • 0x10e50:$j: #=q
              • 0x10e6c:$j: #=q
              • 0x10e9c:$j: #=q
              • 0x10eb8:$j: #=q
              7.2.dhcpmon.exe.397e43c.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
              • 0xd9ad:$x1: NanoCore.ClientPluginHost
              • 0xd9da:$x2: IClientNetworkHost
              Click to see the 64 entries

              Sigma Overview

              AV Detection:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Chrome.exe, ProcessId: 5276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Networking:

              barindex
              Sigma detected: MSBuild connects to smtp portShow sources
              Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 5.149.255.77, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, Initiated: true, ProcessId: 5480, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49829

              E-Banking Fraud:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Chrome.exe, ProcessId: 5276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Stealing of Sensitive Information:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Chrome.exe, ProcessId: 5276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Remote Access Functionality:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Chrome.exe, ProcessId: 5276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\Chrome.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
              Found malware configurationShow sources
              Source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "de7e01ad-963b-4e14-81aa-08dfb351", "Group": "Do", "Domain1": "sys2021.linkpc.net", "Domain2": "23.94.82.41", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
              Source: 4.2.Notepad.exe.3d699d8.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@quanturnvia.com", "Password": "info", "Host": "mail.quanturnvia.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 09142021_PDF.vbsReversingLabs: Detection: 26%
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 85%Perma Link
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
              Source: C:\Users\user\AppData\Local\Temp\Chrome.exeMetadefender: Detection: 85%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\Chrome.exeReversingLabs: Detection: 100%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\Chrome.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\Notepad.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
              Source: 5.0.Chrome.exe.1e0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 7.2.dhcpmon.exe.a0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 10.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: 7.0.dhcpmon.exe.a0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: C:\Users\user\AppData\Local\Temp\Notepad.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: hmltog.exe, hmltog.exe.10.dr
              Source: C:\Users\user\AppData\Local\Temp\Notepad.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h4_2_06A0C4D8

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: 23.94.82.41
              Source: Malware configuration extractorURLs: sys2021.linkpc.net
              Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
              Source: Joe Sandbox ViewIP Address: 23.94.82.41 23.94.82.41
              Source: global trafficTCP traffic: 192.168.2.6:49743 -> 105.112.53.223:11940
              Source: global trafficTCP traffic: 192.168.2.6:49809 -> 23.94.82.41:11940
              Source: global trafficTCP traffic: 192.168.2.6:49829 -> 5.149.255.77:587
              Source: global trafficTCP traffic: 192.168.2.6:49829 -> 5.149.255.77:587
              Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmpString found in binary or memory: http://gEwqkY.com
              Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Notepad.exe, 00000004.00000003.371547514.0000000004E32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comT.TTF
              Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTFdL
              Source: Notepad.exe, 00000004.00000003.409520900.0000000004E10000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
              Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitu
              Source: Notepad.exe, 00000004.00000003.409520900.0000000004E10000.00000004.00000001.sdmp