Loading ...

Play interactive tourEdit tour

Windows Analysis Report TR0398734893 50601251.exe

Overview

General Information

Sample Name:TR0398734893 50601251.exe
Analysis ID:526553
MD5:f245cb3e4ecc54a0883371b525eb0bb1
SHA1:71ff34129913ac8a924a28c7523885f11ca44a1c
SHA256:8371daec5ed076caa1cfdac1ce0ab350744de7d71108ae5efda80e4c54ab1d0e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • TR0398734893 50601251.exe (PID: 6612 cmdline: "C:\Users\user\Desktop\TR0398734893 50601251.exe" MD5: F245CB3E4ECC54A0883371B525EB0BB1)
    • powershell.exe (PID: 6952 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6968 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • TR0398734893 50601251.exe (PID: 4260 cmdline: C:\Users\user\Desktop\TR0398734893 50601251.exe MD5: F245CB3E4ECC54A0883371B525EB0BB1)
      • schtasks.exe (PID: 6648 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp85D3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6712 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8F69.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • TR0398734893 50601251.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\TR0398734893 50601251.exe" 0 MD5: F245CB3E4ECC54A0883371B525EB0BB1)
    • powershell.exe (PID: 1936 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 2944 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmpC245.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • TR0398734893 50601251.exe (PID: 7024 cmdline: C:\Users\user\Desktop\TR0398734893 50601251.exe MD5: F245CB3E4ECC54A0883371B525EB0BB1)
    • TR0398734893 50601251.exe (PID: 6984 cmdline: C:\Users\user\Desktop\TR0398734893 50601251.exe MD5: F245CB3E4ECC54A0883371B525EB0BB1)
  • dhcpmon.exe (PID: 6812 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: F245CB3E4ECC54A0883371B525EB0BB1)
  • dhcpmon.exe (PID: 3516 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: F245CB3E4ECC54A0883371B525EB0BB1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 60 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xb184:$x2: NanoCore.ClientPluginHost
    • 0xc25f:$s4: PipeCreated
    • 0xb19e:$s5: IClientLoggingHost
    9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 75 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Suspicius Add Task From User AppData TempShow sources
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TR0398734893 50601251.exe" , ParentImage: C:\Users\user\Desktop\TR0398734893 50601251.exe, ParentProcessId: 6612, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp, ProcessId: 6968
      Sigma detected: Powershell Defender ExclusionShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TR0398734893 50601251.exe" , ParentImage: C:\Users\user\Desktop\TR0398734893 50601251.exe, ParentProcessId: 6612, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, ProcessId: 6952
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TR0398734893 50601251.exe" , ParentImage: C:\Users\user\Desktop\TR0398734893 50601251.exe, ParentProcessId: 6612, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, ProcessId: 6952
      Sigma detected: T1086 PowerShell ExecutionShow sources
      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132821089554997111.6952.DefaultAppDomain.powershell

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: TR0398734893 50601251.exeVirustotal: Detection: 27%Perma Link
      Source: TR0398734893 50601251.exeReversingLabs: Detection: 24%
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 27%Perma Link
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 24%
      Source: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeVirustotal: Detection: 27%Perma Link
      Source: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeReversingLabs: Detection: 24%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTR
      Machine Learning detection for sampleShow sources
      Source: TR0398734893 50601251.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJoe Sandbox ML: detected
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpackAvira: Label: TR/NanoCore.fadte
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: TR0398734893 50601251.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: TR0398734893 50601251.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Networking:

      barindex
      May check the online IP address of the machineShow sources
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: unknownDNS query: name: 9292.freemyip.com
      Source: unknownDNS query: name: 9292.freemyip.com
      Source: unknownDNS query: name: 9292.freemyip.com
      Source: global trafficTCP traffic: 192.168.2.7:49762 -> 185.140.53.131:9292
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, TR0398734893 50601251.exe, 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: TR0398734893 50601251.exe, 00000001.00000003.255583071.0000000005D74000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: TR0398734893 50601251.exe, 00000001.00000003.258189413.0000000005D78000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: http://www.chinhdo.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: TR0398734893 50601251.exe, 00000001.00000003.296027500.0000000005D70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
      Source: TR0398734893 50601251.exe, 00000001.00000003.296027500.0000000005D70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: TR0398734893 50601251.exe, 00000001.00000003.252766319.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: TR0398734893 50601251.exe, 00000001.00000003.255015833.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.cV
      Source: TR0398734893 50601251.exe, 00000001.00000003.254947421.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: TR0398734893 50601251.exe, 00000001.00000003.254884642.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn5
      Source: TR0398734893 50601251.exe, 00000001.00000003.262739726.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: TR0398734893 5060125