Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 7iatifHQEp.exe

Overview

General Information

Sample Name:7iatifHQEp.exe
Analysis ID:319522
MD5:2ab285ba8f3215a095fc99c969a375c0
SHA1:4b8d19b22ed5562a7677dc7f5e5fe5a7167549f5
SHA256:bc36fa2314f4e45645af22ca75887b7b627de4a65bfd1d274f18e7fc1975c8e4
Tags:exeNanoCorenVpnRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 7iatifHQEp.exe (PID: 6388 cmdline: 'C:\Users\user\Desktop\7iatifHQEp.exe' MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • 7iatifHQEp.exe (PID: 4652 cmdline: C:\Users\user\Desktop\7iatifHQEp.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
      • schtasks.exe (PID: 4780 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 3416 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 7iatifHQEp.exe (PID: 5624 cmdline: C:\Users\user\Desktop\7iatifHQEp.exe 0 MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • 7iatifHQEp.exe (PID: 5932 cmdline: C:\Users\user\Desktop\7iatifHQEp.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
  • dhcpmon.exe (PID: 6096 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • dhcpmon.exe (PID: 4804 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
  • vlc.exe (PID: 5728 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • vlc.exe (PID: 684 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • vlc.exe (PID: 3792 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
  • dhcpmon.exe (PID: 6848 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • dhcpmon.exe (PID: 6988 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • dhcpmon.exe (PID: 6576 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
  • vlc.exe (PID: 4640 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • vlc.exe (PID: 1500 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b0b:$x1: NanoCore.ClientPluginHost
  • 0x5b44:$x2: IClientNetworkHost
00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b0b:$x2: NanoCore.ClientPluginHost
  • 0x5c0f:$s4: PipeCreated
  • 0x5b25:$s5: IClientLoggingHost
00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x435cd:$a: NanoCore
    • 0x43626:$a: NanoCore
    • 0x43663:$a: NanoCore
    • 0x436dc:$a: NanoCore
    • 0x56d87:$a: NanoCore
    • 0x56d9c:$a: NanoCore
    • 0x56dd1:$a: NanoCore
    • 0x6fd73:$a: NanoCore
    • 0x6fd88:$a: NanoCore
    • 0x6fdbd:$a: NanoCore
    • 0x4362f:$b: ClientPlugin
    • 0x4366c:$b: ClientPlugin
    • 0x43f6a:$b: ClientPlugin
    • 0x43f77:$b: ClientPlugin
    • 0x56b43:$b: ClientPlugin
    • 0x56b5e:$b: ClientPlugin
    • 0x56b8e:$b: ClientPlugin
    • 0x56da5:$b: ClientPlugin
    • 0x56dda:$b: ClientPlugin
    • 0x6fb2f:$b: ClientPlugin
    • 0x6fb4a:$b: ClientPlugin
    0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 121 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.7iatifHQEp.exe.7100000.11.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x13a8:$x1: NanoCore.ClientPluginHost
      8.2.7iatifHQEp.exe.7100000.11.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x13a8:$x2: NanoCore.ClientPluginHost
      • 0x1486:$s4: PipeCreated
      • 0x13c2:$s5: IClientLoggingHost
      8.2.7iatifHQEp.exe.7160000.16.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x350b:$x1: NanoCore.ClientPluginHost
      • 0x3525:$x2: IClientNetworkHost
      8.2.7iatifHQEp.exe.7160000.16.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x350b:$x2: NanoCore.ClientPluginHost
      • 0x52b6:$s4: PipeCreated
      • 0x34f8:$s5: IClientLoggingHost
      8.2.7iatifHQEp.exe.7120000.13.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x59eb:$x1: NanoCore.ClientPluginHost
      • 0x5b48:$x2: IClientNetworkHost
      Click to see the 71 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\7iatifHQEp.exe, ProcessId: 4652, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\7iatifHQEp.exe, ParentImage: C:\Users\user\Desktop\7iatifHQEp.exe, ParentProcessId: 4652, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp', ProcessId: 4780

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: dhcpmon.exe.6576.29.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Source: dhcpmon.exe.6576.29.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: atacoinc8897.hopto.orgVirustotal: Detection: 6%Perma Link
      Source: atacoinc8897.hopto.orgVirustotal: Detection: 6%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 14%
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 14%
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 14%
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 14%
      Multi AV Scanner detection for submitted fileShow sources
      Source: 7iatifHQEp.exeVirustotal: Detection: 22%Perma Link
      Source: 7iatifHQEp.exeReversingLabs: Detection: 14%
      Source: 7iatifHQEp.exeVirustotal: Detection: 22%Perma Link
      Source: 7iatifHQEp.exeReversingLabs: Detection: 14%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1500, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 3792, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 4640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5728, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORY
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: 7iatifHQEp.exeJoe Sandbox ML: detected
      Source: 7iatifHQEp.exeJoe Sandbox ML: detected
      Source: 8.2.7iatifHQEp.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 27.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 26.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 23.2.7iatifHQEp.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 29.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 31.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 8.2.7iatifHQEp.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 27.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 26.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 23.2.7iatifHQEp.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 29.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 31.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49740 -> 185.140.53.132:2008
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49740 -> 185.140.53.132:2008
      Source: global trafficTCP traffic: 192.168.2.4:49740 -> 185.140.53.132:2008
      Source: global trafficTCP traffic: 192.168.2.4:49740 -> 185.140.53.132:2008
      Source: Joe Sandbox ViewIP Address: 185.140.53.132 185.140.53.132
      Source: Joe Sandbox ViewIP Address: 185.140.53.132 185.140.53.132
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: unknownDNS traffic detected: queries for: atacoinc8897.hopto.org
      Source: unknownDNS traffic detected: queries for: atacoinc8897.hopto.org
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: 7iatifHQEp.exe, 00000000.00000003.664122612.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: 7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com=
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comJ
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comitk
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw.c3-x
      Source: 7iatifHQEp.exe, 00000000.00000003.665230209.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.co
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: 7iatifHQEp.exe, 00000000.00000003.665186452.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: 7iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: 7iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx2
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: 7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html~
      Source: 7iatifHQEp.exe, 00000000.00000003.665162800.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/~
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: 7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersE&
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: 7iatifHQEp.exe, 00000000.00000003.666170417.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersH&
      Source: 7iatifHQEp.exe, 00000000.00000003.665404943.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
      Source: 7iatifHQEp.exe, 00000000.00000003.666404104.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersV
      Source: 7iatifHQEp.exe, 00000000.00000003.665207459.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
      Source: 7iatifHQEp.exe, 00000000.00000003.665427572.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomaD
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtx
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn5
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnJ
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: 7iatifHQEp.exe, 00000000.00000003.669355371.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmn-ustr
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-d
      Source: 7iatifHQEp.exe, 00000000.00000003.663531498.0000000005D64000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-da
      Source: 7iatifHQEp.exe, 00000000.00000003.663884592.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/w
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tion
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: 7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: 7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665022443.0000000005D8E000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.666770593.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
      Source: 7iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de2
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: 7iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deo4(
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: 7iatifHQEp.exe, 00000000.00000003.664122612.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: 7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com=
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comJ
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comitk
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw.c3-x
      Source: 7iatifHQEp.exe, 00000000.00000003.665230209.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.co
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: 7iatifHQEp.exe, 00000000.00000003.665186452.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: 7iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: 7iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx2
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: 7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html~
      Source: 7iatifHQEp.exe, 00000000.00000003.665162800.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/~
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: 7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersE&
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: 7iatifHQEp.exe, 00000000.00000003.666170417.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersH&
      Source: 7iatifHQEp.exe, 00000000.00000003.665404943.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
      Source: 7iatifHQEp.exe, 00000000.00000003.666404104.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersV
      Source: 7iatifHQEp.exe, 00000000.00000003.665207459.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
      Source: 7iatifHQEp.exe, 00000000.00000003.665427572.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomaD
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtx
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn5
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnJ
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: 7iatifHQEp.exe, 00000000.00000003.669355371.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmn-ustr
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-d
      Source: 7iatifHQEp.exe, 00000000.00000003.663531498.0000000005D64000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-da
      Source: 7iatifHQEp.exe, 00000000.00000003.663884592.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/w
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tion
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: 7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: 7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665022443.0000000005D8E000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.666770593.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
      Source: 7iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de2
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: 7iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deo4(
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: vlc.exe, 0000000F.00000002.839932695.0000000000D9B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: vlc.exe, 0000000F.00000002.839932695.0000000000D9B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1500, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 3792, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 4640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5728, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORY
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.930001764.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.930001764.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6C2840_2_02D6C284
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6E8980_2_02D6E898
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6E8880_2_02D6E888
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_077967500_2_07796750
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_077900070_2_07790007
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07B6C2700_2_07B6C270
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07B6BBF80_2_07B6BBF8
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6C2840_2_02D6C284
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6E8980_2_02D6E898
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6E8880_2_02D6E888
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_077967500_2_07796750
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_077900070_2_07790007
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07B6C2700_2_07B6C270
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07B6BBF80_2_07B6BBF8
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_066D00408_2_066D0040
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_066D08208_2_066D0820
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_066C02B08_2_066C02B0
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_0120E4738_2_0120E473
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_0120E4808_2_0120E480
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_0120BBD48_2_0120BBD4
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_0526F5F88_2_0526F5F8
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_052697888_2_05269788
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_0526A6108_2_0526A610
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_029EC28413_2_029EC284
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_029EE89813_2_029EE898
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_029EE88813_2_029EE888
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_0557EC1013_2_0557EC10
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_0557466813_2_05574668
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_0557EC0013_2_0557EC00
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_05573EB813_2_05573EB8
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_06DF675013_2_06DF6750
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_06DF000713_2_06DF0007
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_06E3C27013_2_06E3C270
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_06E3BBF813_2_06E3BBF8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0188F89014_2_0188F890
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0188C28414_2_0188C284
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0188E88814_2_0188E888
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0188E89814_2_0188E898
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0789675014_2_07896750
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0789000714_2_07890007
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_078DC27014_2_078DC270
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_078DBBF814_2_078DBBF8
      Source: 7iatifHQEp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 7iatifHQEp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 7iatifHQEp.exe, 00000000.00000002.754390049.00000000075D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXglbdu.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.754716243.0000000007699000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.755775985.0000000007930000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.745556023.0000000003126000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exeBinary or memory string: OriginalFilename vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000003.759569087.0000000001025000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000000.741751073.00000000009D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.934385775.0000000006250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.933519881.00000000052B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.836252141.0000000002D56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.831716536.0000000000E88000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.829465620.00000000006E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.857957252.0000000006A80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXglbdu.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.859613860.0000000006F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.846068693.0000000000682000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exeBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.754390049.00000000075D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXglbdu.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.754716243.0000000007699000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.755775985.0000000007930000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.745556023.0000000003126000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exeBinary or memory string: OriginalFilename vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000003.759569087.0000000001025000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000000.741751073.00000000009D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.934385775.0000000006250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.933519881.00000000052B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.836252141.0000000002D56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.831716536.0000000000E88000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.829465620.00000000006E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.857957252.0000000006A80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXglbdu.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.859613860.0000000006F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.846068693.0000000000682000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exeBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.930001764.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.930001764.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 7iatifHQEp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: vlc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 7iatifHQEp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: vlc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 7iatifHQEp.exe, 00000000.00000003.663822608.0000000005D8E000.00000004.00000001.sdmpBinary or memory string: 2017 JIYUKOBO Ltd. All Rights Reserved.slnt
      Source: 7iatifHQEp.exe, 00000000.00000003.663822608.0000000005D8E000.00000004.00000001.sdmpBinary or memory string: 2017 JIYUKOBO Ltd. All Rights Reserved.slnt
      Source: classification engineClassification label: mal100.troj.evad.winEXE@28/14@1/1
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{950dc9c6-d071-4b80-ab32-4e46986f440d}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3400:120:WilError_01
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{950dc9c6-d071-4b80-ab32-4e46986f440d}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3400:120:WilError_01
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Local\Temp\tmp52.tmpJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Local\Temp\tmp52.tmpJump to behavior
      Source: 7iatifHQEp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 7iatifHQEp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 7iatifHQEp.exeVirustotal: Detection: 22%
      Source: 7iatifHQEp.exeReversingLabs: Detection: 14%
      Source: 7iatifHQEp.exeVirustotal: Detection: 22%
      Source: 7iatifHQEp.exeReversingLabs: Detection: 14%
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile read: C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile read: C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe 'C:\Users\user\Desktop\7iatifHQEp.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe 'C:\Users\user\Desktop\7iatifHQEp.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: 7iatifHQEp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 7iatifHQEp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 7iatifHQEp.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: 7iatifHQEp.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 7iatifHQEp.exe, 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 7iatifHQEp.exe, 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6D6F3 push 0000005Dh; retn 0004h0_2_02D6D765
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6FEC3 pushfd ; iretd 0_2_02D6FEC9
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6D6F3 push 0000005Dh; retn 0004h0_2_02D6D765
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6FEC3 pushfd ; iretd 0_2_02D6FEC9
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_052669FA push esp; retf 8_2_05266A01
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_052669F8 pushad ; retf 8_2_052669F9
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_0557A44C push E804FA6Bh; retf 13_2_0557A451
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0188FEC2 pushfd ; iretd 14_2_0188FEC9
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to dropped file
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to dropped file
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile opened: C:\Users\user\Desktop\7iatifHQEp.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile opened: C:\Users\user\Desktop\7iatifHQEp.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: 7iatifHQEp.exe, 00000000.00000002.754390049.00000000075D0000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.857957252.0000000006A80000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.865535286.0000000006AA0000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.883348560.0000000006620000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEAD
      Source: 7iatifHQEp.exe, 00000000.00000002.754390049.00000000075D0000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.857957252.0000000006A80000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.865535286.0000000006AA0000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.883348560.0000000006620000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEAD
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: threadDelayed 6722Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: threadDelayed 2445Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: foregroundWindowGot 411Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: foregroundWindowGot 474Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: threadDelayed 6722Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: threadDelayed 2445Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: foregroundWindowGot 411Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: foregroundWindowGot 474Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 1492Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 4604Thread sleep time: -9223372036854770s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 768Thread sleep time: -40000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 5660Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2204Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 5956Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5812Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 7108Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 4684Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6296Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 2936Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6112Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6712Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 1492Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 4604Thread sleep time: -9223372036854770s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 768Thread sleep time: -40000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 5660Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2204Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 5956Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5812Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 7108Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 4684Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6296Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 2936Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6112Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6712Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
      Source: vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: 7iatifHQEp.exe, 00000008.00000002.925178554.0000000000FF5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: 7iatifHQEp.exe, 00000008.00000002.925178554.0000000000FF5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory written: C:\Users\user\Desktop\7iatifHQEp.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory written: C:\Users\user\Desktop\7iatifHQEp.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory written: C:\Users\user\Desktop\7iatifHQEp.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory written: C:\Users\user\Desktop\7iatifHQEp.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.934356236.000000000624A000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: Program ManagerHaRk
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: 7iatifHQEp.exe, 00000008.00000002.935280208.0000000006CDE000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: 7iatifHQEp.exe, 00000008.00000002.927503705.0000000002E79000.00000004.00000001.sdmpBinary or memory string: Program Managerp
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: 7iatifHQEp.exe, 00000008.00000002.936423952.000000000751E000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager`
      Source: 7iatifHQEp.exe, 00000008.00000002.934522264.000000000647B000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: 7iatifHQEp.exe, 00000008.00000002.934356236.000000000624A000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: Program ManagerHaRk
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: 7iatifHQEp.exe, 00000008.00000002.935280208.0000000006CDE000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: 7iatifHQEp.exe, 00000008.00000002.927503705.0000000002E79000.00000004.00000001.sdmpBinary or memory string: Program Managerp
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: 7iatifHQEp.exe, 00000008.00000002.936423952.000000000751E000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager`
      Source: 7iatifHQEp.exe, 00000008.00000002.934522264.000000000647B000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07794AD0 GetUserNameA,0_2_07794AD0
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07794AD0 GetUserNameA,0_2_07794AD0
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1500, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 3792, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 4640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5728, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORY
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: 7iatifHQEp.exe, 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: 7iatifHQEp.exe, 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: vlc.exe, 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: vlc.exe, 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: 7iatifHQEp.exe, 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: 7iatifHQEp.exe, 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: vlc.exe, 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: vlc.exe, 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1500, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 3792, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 4640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5728, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORY
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Disable or Modify Tools1Input Capture21Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder11Scheduled Task/Job1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder11Obfuscated Files or Information2Security Account ManagerSystem Information Discovery12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery211Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 319522 Sample: 7iatifHQEp.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 12 other signatures 2->67 8 7iatifHQEp.exe 1 6 2->8         started        12 vlc.exe 3 2->12         started        14 dhcpmon.exe 2->14         started        16 3 other processes 2->16 process3 file4 53 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 8->53 dropped 55 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 8->55 dropped 57 C:\Users\user\AppData\...\7iatifHQEp.exe.log, ASCII 8->57 dropped 71 Injects a PE file into a foreign processes 8->71 18 7iatifHQEp.exe 1 15 8->18         started        23 vlc.exe 12->23         started        25 vlc.exe 12->25         started        27 dhcpmon.exe 14->27         started        29 dhcpmon.exe 14->29         started        31 7iatifHQEp.exe 16->31         started        33 dhcpmon.exe 16->33         started        35 vlc.exe 16->35         started        signatures5 process6 dnsIp7 59 atacoinc8897.hopto.org 185.140.53.132, 2008, 49740 DAVID_CRAIGGG Sweden 18->59 45 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->45 dropped 47 C:\Users\user\AppData\Roaming\...\run.dat, data 18->47 dropped 49 C:\Users\user\AppData\Local\Temp\tmp52.tmp, XML 18->49 dropped 51 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->51 dropped 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->69 37 schtasks.exe 1 18->37         started        39 schtasks.exe 1 18->39         started        file8 signatures9 process10 process11 41 conhost.exe 37->41         started        43 conhost.exe 39->43         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      7iatifHQEp.exe23%VirustotalBrowse
      7iatifHQEp.exe15%ReversingLabs
      7iatifHQEp.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe15%ReversingLabs
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe15%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      8.2.7iatifHQEp.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      27.2.vlc.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      26.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      23.2.7iatifHQEp.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      29.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      31.2.vlc.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      atacoinc8897.hopto.org6%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cnJ0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/a-d0%Avira URL Cloudsafe
      http://www.urwpp.deo4(0%Avira URL Cloudsafe
      http://www.founder.com.cn/cnv-s0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/staff/dennis.htmn-ustr0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.fontbureau.comcomaD0%Avira URL Cloudsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/90%Avira URL Cloudsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/90%Avira URL Cloudsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/00%Avira URL Cloudsafe
      http://www.carterandcone.com=0%Avira URL Cloudsafe
      http://www.urwpp.de20%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
      http://www.carterandcone.comitk0%Avira URL Cloudsafe
      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.carterandcone.comJ0%Avira URL Cloudsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.tiro.comslnt0%URL Reputationsafe
      http://www.tiro.comslnt0%URL Reputationsafe
      http://www.tiro.comslnt0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/M0%Avira URL Cloudsafe
      http://www.fontbureau.co0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/a-da0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/D0%Avira URL Cloudsafe
      http://www.carterandcone.comw.c3-x0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/w0%Avira URL Cloudsafe
      http://www.fontbureau.come.com0%URL Reputationsafe
      http://www.fontbureau.come.com0%URL Reputationsafe
      http://www.fontbureau.come.com0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.fontbureau.comtx0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/w0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.founder.com.cn/cn50%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/Y0-d0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/j0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/tion0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      atacoinc8897.hopto.org
      		185.140.53.132
      		truetrueunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.fontbureau.com/designersG7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
          		high
          http://www.founder.com.cn/cnJ7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.founder.com.cn/cn/bThe7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers?7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
            		high
            http://www.jiyu-kobo.co.jp/a-d7iatifHQEp.exe, 00000000.00000003.663531498.0000000005D64000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.urwpp.deo4(7iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://www.founder.com.cn/cnv-s7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.galapagosdesign.com/staff/dennis.htmn-ustr7iatifHQEp.exe, 00000000.00000003.669355371.0000000005D90000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tiro.comvlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersV7iatifHQEp.exe, 00000000.00000003.666404104.0000000005D90000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersE&7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.comcomaD7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designersvlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                  		high
                  http://www.goodfont.co.kr7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.com7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersP7iatifHQEp.exe, 00000000.00000003.665404943.0000000005D8F000.00000004.00000001.sdmpfalse
                    		high
                    http://www.jiyu-kobo.co.jp/jp/97iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.com7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/97iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.typography.netD7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cThe7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htm7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.com7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/07iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.com=7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.com/designersd7iatifHQEp.exe, 00000000.00000003.665207459.0000000005D8E000.00000004.00000001.sdmpfalse
                      		high
                      http://www.urwpp.de27iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/DPlease7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Y07iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comitk7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.ascendercorp.com/typedesigners.html7iatifHQEp.exe, 00000000.00000003.664122612.0000000005D8E000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.com7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.sandoll.co.kr7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPlease7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersH&7iatifHQEp.exe, 00000000.00000003.666170417.0000000005D90000.00000004.00000001.sdmpfalse
                          		high
                          http://www.urwpp.de7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665022443.0000000005D8E000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.666770593.0000000005D90000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cn7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comJ7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sakkal.com7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designerst7iatifHQEp.exe, 00000000.00000003.665427572.0000000005D8F000.00000004.00000001.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.07iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/~7iatifHQEp.exe, 00000000.00000003.665162800.0000000005D8E000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comslnt7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/M7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.co7iatifHQEp.exe, 00000000.00000003.665230209.0000000005D8E000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/a-da7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/D7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comw.c3-x7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/w7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.come.com7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.coml7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comtx7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlN7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/w7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cn7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.html7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers/cabarga.html7iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn57iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/Y0-d7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers87iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/j7iatifHQEp.exe, 00000000.00000003.663884592.0000000005D6B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlx27iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/7iatifHQEp.exe, 00000000.00000003.665186452.0000000005D8E000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/tion7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-user.html~7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmpfalse
                                                		high

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                185.140.53.132
                                                		unknownSweden
                                                		209623DAVID_CRAIGGGtrue

                                                General Information

                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                Analysis ID:319522
                                                Start date:18.11.2020
                                                Start time:11:57:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 13m 27s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:7iatifHQEp.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:33
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@28/14@1/1
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 0.5% (good quality ratio 0.4%)
                                                • Quality average: 63.3%
                                                • Quality standard deviation: 32.5%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 129
                                                • Number of non-executed functions: 6
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 52.147.198.201, 92.122.145.220, 52.255.188.83, 51.104.139.180, 13.107.4.50, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247
                                                • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, Edge-Prod-FRAr4a.env.au.au-msedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, au.au-msedge.net, store-images.s-microsoft.com, au.c-0001.c-msedge.net
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                11:58:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
                                                11:58:36Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\7iatifHQEp.exe" s>$(Arg0)
                                                11:58:36API Interceptor678x Sleep call for process: 7iatifHQEp.exe modified
                                                11:58:38Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                                11:58:39AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                11:58:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                185.140.53.132Do43p0ghpz.exeGet hashmaliciousBrowse
                                                  zWKtabs92B.exeGet hashmaliciousBrowse
                                                    0076364_00533MXS2.jarGet hashmaliciousBrowse
                                                      Atlas Home Products Inc RFQ_pdf.jarGet hashmaliciousBrowse
                                                        Payment Advice Hsbc_pdf.jarGet hashmaliciousBrowse
                                                          NOTIFICA DI ARRIVO DHL_PDF.jarGet hashmaliciousBrowse
                                                            NOTIFICA DI ARRIVO DHL_PDF.jarGet hashmaliciousBrowse
                                                              BOLDROCCHI SRL ITALY QUOTATION REQUEST_PDF.jarGet hashmaliciousBrowse
                                                                REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                                                                  REQUEST FOR QUOTATION_pdf.jarGet hashmaliciousBrowse
                                                                    REQUEST FOR QUOTATION_pdf.jarGet hashmaliciousBrowse
                                                                      Yasuda Kogyo Thailand Co Ltd Request For Quotation_pdf.jarGet hashmaliciousBrowse
                                                                        Yasuda Kogyo Thailand Co Ltd Request For Quotation_pdf.jarGet hashmaliciousBrowse
                                                                          Ziraat Bankasi Swift_pdf.jarGet hashmaliciousBrowse
                                                                            YI SHNUFA REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                                                                              YI SHNUFA REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                                                                                TyRSrOojgV.exeGet hashmaliciousBrowse
                                                                                  2KGU6Ue1fD.exeGet hashmaliciousBrowse
                                                                                    DvYWRCSr5w.exeGet hashmaliciousBrowse
                                                                                      PURCHASE09812.exeGet hashmaliciousBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        atacoinc8897.hopto.orgDo43p0ghpz.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.132
                                                                                        zWKtabs92B.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.132
                                                                                        wIeFid8p7Q.exeGet hashmaliciousBrowse
                                                                                        • 103.125.189.164
                                                                                        gSTnUDrWFe.exeGet hashmaliciousBrowse
                                                                                        • 185.244.26.199
                                                                                        FpK385nmHk.exeGet hashmaliciousBrowse
                                                                                        • 185.244.26.199
                                                                                        7sbXVpHq6E.exeGet hashmaliciousBrowse
                                                                                        • 185.244.26.199
                                                                                        Z08LsyTAN6.exeGet hashmaliciousBrowse
                                                                                        • 103.125.189.164
                                                                                        oIgeDSRrq4.exeGet hashmaliciousBrowse
                                                                                        • 23.105.131.174
                                                                                        OGKH8KZq2Z.exeGet hashmaliciousBrowse
                                                                                        • 23.105.131.174
                                                                                        INVOICE.docGet hashmaliciousBrowse
                                                                                        • 23.105.131.174

                                                                                        ASN

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        DAVID_CRAIGGGSbext4ZNBq.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.197
                                                                                        xEdiPz1bC3.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.234
                                                                                        7D1wvBrRib.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.234
                                                                                        O8LDCTOK07.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.233
                                                                                        aE78QTkV5H.exeGet hashmaliciousBrowse
                                                                                        • 185.244.30.98
                                                                                        DHL Shipment Notice of Arrival AWB 8032697940773.jsGet hashmaliciousBrowse
                                                                                        • 185.165.153.158
                                                                                        ORDER-#00654.doc.....exeGet hashmaliciousBrowse
                                                                                        • 185.165.153.116
                                                                                        SMJshb9rCD.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.154
                                                                                        vUQV0nqjYx.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.182
                                                                                        Do43p0ghpz.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.132
                                                                                        DHL ShipmentDHL Shipment 237590.pdf.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.207
                                                                                        7GAi7ZFQz8.exeGet hashmaliciousBrowse
                                                                                        • 185.165.153.116
                                                                                        KL0DeoXZFx.dllGet hashmaliciousBrowse
                                                                                        • 91.193.75.78
                                                                                        C1jkp1o3Vl.dllGet hashmaliciousBrowse
                                                                                        • 185.140.53.152
                                                                                        fYRqcuLMYk.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.137
                                                                                        02oBhZg39b.exeGet hashmaliciousBrowse
                                                                                        • 185.244.30.112
                                                                                        7crYMLdmCL.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.234
                                                                                        Sw4rkFUNJt.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.137
                                                                                        qelMUH5CPF.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.149
                                                                                        zWKtabs92B.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.132

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):811008
                                                                                        Entropy (8bit):7.082080403210023
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:JIUpevuzaBAGteHzdAaLMS3EtEOv5+RlC8+lEvKlJfF05Ibmu9EgeIKxAtWK:Lza2GtGAXhEXRlCbH
                                                                                        MD5:2AB285BA8F3215A095FC99C969A375C0
                                                                                        SHA1:4B8D19B22ED5562A7677DC7F5E5FE5A7167549F5
                                                                                        SHA-256:BC36FA2314F4E45645AF22CA75887B7B627DE4A65BFD1D274F18E7FC1975C8E4
                                                                                        SHA-512:573A1720F9F4A0B112A972BA55AB9C4D17F8AB8AC4D08BA6DCE21DB8925761F0E5CCC4E41B3545CA0A19FF593AE0B83544B37F57240A1E78774B4E4DC2903310
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 15%
                                                                                        Reputation:low
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.._.....................z........... ... ....@.. ....................................@.................................D...J.... ...v........................................................................... ............... ..H............text........ ...................... ..`.rsrc....v... ...x..................@..@.reloc...............^..............@..B................t.......H............E..............p"..........................................N+.+.*(m...+.(V...+.6.(.....(g...*..>+.+.*.+.(....+..0..I........-.+',.+&{....,.+ {....+..,..,.+.+..,.&&.-.*.+..+..+.o....+..+..+.(....+......(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(.
                                                                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7iatifHQEp.exe.log
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):1119
                                                                                        Entropy (8bit):5.356708753875314
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                                        MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                                        SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                                        SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                                        SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                                        Malicious:true
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1119
                                                                                        Entropy (8bit):5.356708753875314
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                                        MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                                        SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                                        SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                                        SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log
                                                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1119
                                                                                        Entropy (8bit):5.356708753875314
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                                        MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                                        SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                                        SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                                        SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                                        Malicious:false
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                        C:\Users\user\AppData\Local\Temp\tmp37F.tmp
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1310
                                                                                        Entropy (8bit):5.109425792877704
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                                        MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                                        SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                                        SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                                        SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                                        Malicious:false
                                                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                        C:\Users\user\AppData\Local\Temp\tmp52.tmp
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1300
                                                                                        Entropy (8bit):5.10468653885933
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0YkCxtn:cbk4oL600QydbQxIYODOLedq3Nj
                                                                                        MD5:7B2330246D352470D40A3CF9AFB7DF22
                                                                                        SHA1:090EDAEC13EFD731E0AF391F245B059B8C2B2303
                                                                                        SHA-256:7DDDBFD2E795938A056485FAEB03947116626C21FD000C1AC892566E4CDABF27
                                                                                        SHA-512:9628C56680323A8A57B6AD27055C1E504164BA0F6721F9555F72715F3F070D4A7CB0D11A40456241DD3BA21B469576D03371D793024388273D11B48C42E69255
                                                                                        Malicious:true
                                                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):232
                                                                                        Entropy (8bit):7.089541637477408
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
                                                                                        MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
                                                                                        SHA1:76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
                                                                                        SHA-256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
                                                                                        SHA-512:93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
                                                                                        Malicious:false
                                                                                        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&
                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):8
                                                                                        Entropy (8bit):3.0
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:XE9t:k
                                                                                        MD5:2AE5D43A0C74E5D9BBA4FA5DB4DD2345
                                                                                        SHA1:0866AFA7D31872559551FBB7D137D40100915810
                                                                                        SHA-256:FF7CE978C1D3E2BFE33296404C2F6FC8C5E89336C27273C68E06251BA3833B92
                                                                                        SHA-512:7F16C2754D2F71585E122B646439D4FF441EF8017C4ECD216316142238B7D75BD0E79F0C2B1DA8CD765510E19586913FE43992F0979D89DC0FE1B660BEB7448C
                                                                                        Malicious:true
                                                                                        Preview: .....H
                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:data
                                                                                        Category:modified
                                                                                        Size (bytes):40
                                                                                        Entropy (8bit):5.153055907333276
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                                                        MD5:4E5E92E2369688041CC82EF9650EDED2
                                                                                        SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                                                        SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                                                        SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                                                        Malicious:false
                                                                                        Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):327768
                                                                                        Entropy (8bit):7.999367066417797
                                                                                        Encrypted:true
                                                                                        SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
                                                                                        MD5:2E52F446105FBF828E63CF808B721F9C
                                                                                        SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
                                                                                        SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
                                                                                        SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
                                                                                        Malicious:false
                                                                                        Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):37
                                                                                        Entropy (8bit):4.247030650103631
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:oNt+WfWSME4t0fC:oNwvSF4t0K
                                                                                        MD5:92DB28D61318824ABC7279FA247CBF99
                                                                                        SHA1:E31A7C34F6F0874669F9129E37CD6433905B8884
                                                                                        SHA-256:DBB10276ED41703245EF28CCE0D0A59C20DCDB59FF21F0EA778BC519F3167A9F
                                                                                        SHA-512:9C0640DB7F395831BEBC15EB13FCEF6B0864C75A550038CFC14698BE6345FC80620D99EEA8FC1114A8885430660B540FB514EC05BAD40E230F538B5C51FD74FA
                                                                                        Malicious:false
                                                                                        Preview: C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):811008
                                                                                        Entropy (8bit):7.082080403210023
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:JIUpevuzaBAGteHzdAaLMS3EtEOv5+RlC8+lEvKlJfF05Ibmu9EgeIKxAtWK:Lza2GtGAXhEXRlCbH
                                                                                        MD5:2AB285BA8F3215A095FC99C969A375C0
                                                                                        SHA1:4B8D19B22ED5562A7677DC7F5E5FE5A7167549F5
                                                                                        SHA-256:BC36FA2314F4E45645AF22CA75887B7B627DE4A65BFD1D274F18E7FC1975C8E4
                                                                                        SHA-512:573A1720F9F4A0B112A972BA55AB9C4D17F8AB8AC4D08BA6DCE21DB8925761F0E5CCC4E41B3545CA0A19FF593AE0B83544B37F57240A1E78774B4E4DC2903310
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 15%
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.._.....................z........... ... ....@.. ....................................@.................................D...J.... ...v........................................................................... ............... ..H............text........ ...................... ..`.rsrc....v... ...x..................@..@.reloc...............^..............@..B................t.......H............E..............p"..........................................N+.+.*(m...+.(V...+.6.(.....(g...*..>+.+.*.+.(....+..0..I........-.+',.+&{....,.+ {....+..,..,.+.+..,.&&.-.*.+..+..+.o....+..+..+.(....+......(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(.
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe:Zone.Identifier
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Preview: [ZoneTransfer]....ZoneId=0

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.082080403210023
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        File name:7iatifHQEp.exe
                                                                                        File size:811008
                                                                                        MD5:2ab285ba8f3215a095fc99c969a375c0
                                                                                        SHA1:4b8d19b22ed5562a7677dc7f5e5fe5a7167549f5
                                                                                        SHA256:bc36fa2314f4e45645af22ca75887b7b627de4a65bfd1d274f18e7fc1975c8e4
                                                                                        SHA512:573a1720f9f4a0b112a972ba55ab9c4d17f8ab8ac4d08ba6dce21db8925761f0e5ccc4e41b3545ca0a19ff593ae0b83544b37f57240a1e78774b4e4dc2903310
                                                                                        SSDEEP:12288:JIUpevuzaBAGteHzdAaLMS3EtEOv5+RlC8+lEvKlJfF05Ibmu9EgeIKxAtWK:Lza2GtGAXhEXRlCbH
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.._.....................z........... ... ....@.. ....................................@................................

                                                                                        File Icon

                                                                                        Icon Hash:74f2dbb284c2e2ee

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x48028e
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                        Time Stamp:0x5FB48348 [Wed Nov 18 02:13:28 2020 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x802440x4a.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x47615.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x7e2940x7e400False0.947399056312data7.93849654903IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x820000x476150x47800False0.200174825175data4.66083231207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0xca0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountry
                                                                                        RT_ICON0x8208c0x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
                                                                                        RT_ICON0xc40d80x25a8data
                                                                                        RT_ICON0xc66a40x10a8data
                                                                                        RT_ICON0xc77700x988data
                                                                                        RT_ICON0xc811c0x468GLS_BINARY_LSB_FIRST
                                                                                        RT_GROUP_ICON0xc85c00x4cdata
                                                                                        RT_VERSION0xc86480x33cdata
                                                                                        RT_MANIFEST0xc89c00xc55XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Version Infos

                                                                                        DescriptionData
                                                                                        Translation0x0000 0x04b0
                                                                                        LegalCopyright(c) 2020 Skype and/or Microsoft
                                                                                        Assembly Version8.61.0.87
                                                                                        InternalNamePOP.exe
                                                                                        FileVersion8.61.0.87
                                                                                        CompanyNameSkype Technologies S.A.
                                                                                        CommentsSkype Setup
                                                                                        ProductNameSkype
                                                                                        ProductVersion8.61.0.87
                                                                                        FileDescriptionSkype Setup
                                                                                        OriginalFilenamePOP.exe

                                                                                        Network Behavior

                                                                                        Snort IDS Alerts

                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                        11/18/20-11:58:38.981958TCP2025019ET TROJAN Possible NanoCore C2 60B497402008192.168.2.4185.140.53.132

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 18, 2020 11:58:38.711035967 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:38.929177999 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:38.930305004 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:38.981957912 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:39.210066080 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:39.217971087 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:39.437911034 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:39.468616962 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:39.752727032 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:39.752876043 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.035464048 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.044193983 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.044223070 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.044240952 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.044337034 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.044461012 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.044564962 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.263046980 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263077974 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263096094 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263154030 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263171911 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.263237953 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.263257027 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263279915 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263294935 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263314009 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263322115 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.263406992 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.480839014 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.480870008 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.480973005 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.481910944 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484441042 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484466076 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484493971 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484509945 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484525919 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484539032 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484550953 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484561920 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484571934 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.484587908 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.484594107 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484611034 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484617949 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.484632969 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484644890 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484666109 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.485060930 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.699049950 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.699076891 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.699091911 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.699112892 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.699150085 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.699184895 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702172995 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702203035 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702254057 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702274084 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702285051 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702342987 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702397108 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702459097 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702507019 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702752113 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702779055 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702794075 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702816010 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702830076 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702861071 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702868938 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702897072 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702939034 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702965021 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702975988 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702991962 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703007936 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703027010 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703042984 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703052044 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703063965 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703087091 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703097105 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703118086 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703149080 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703176022 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703182936 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703200102 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703217030 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703223944 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703239918 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703253984 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703282118 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703300953 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.916192055 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.916273117 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.916297913 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.916315079 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.916330099 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.916346073 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.916362047 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.916393042 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.916412115 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.917211056 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.917232037 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.917280912 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.919958115 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920119047 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920140028 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920181036 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.920523882 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920546055 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920561075 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920576096 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920605898 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.920617104 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.920659065 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920700073 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.920864105 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920928955 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920950890 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920969963 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.920984030 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.921004057 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.921674013 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922122002 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922171116 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922187090 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.922382116 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922403097 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922419071 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922449112 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922457933 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.922480106 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.922509909 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922782898 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922808886 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922823906 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922837973 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922847033 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.922872066 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922882080 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.922889948 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.922909021 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922924995 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922940016 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.922955036 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.922983885 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.923007011 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923022985 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923038006 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923082113 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.923135042 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923163891 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923192024 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923203945 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923216105 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923229933 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923238993 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.923264980 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.923444986 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923465967 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923480034 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923490047 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.923502922 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923521042 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923527002 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.923542976 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.923564911 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.039683104 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.133657932 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.133686066 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.133703947 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.133754015 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.133780956 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.133836985 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.133853912 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.133871078 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.133923054 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.134511948 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.134533882 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.134593010 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.137686014 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.137784958 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.137804985 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.137860060 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.138055086 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.138113022 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.138187885 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.138220072 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.138242960 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.138262033 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.138271093 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.138300896 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.138319016 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.138325930 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.138340950 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.138360977 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.138365984 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.138410091 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.139600992 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.139619112 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.139698982 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.139853954 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.139872074 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.139921904 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.139959097 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.139980078 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.140022039 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.140496969 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141005993 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141031027 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141047001 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141062021 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141076088 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.141108990 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.141249895 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141392946 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141416073 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141427994 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.141477108 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.141496897 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141511917 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141529083 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141544104 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141558886 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141573906 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.141581059 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141597986 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141613007 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.141653061 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.141674995 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141690969 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141733885 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141751051 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141761065 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.141799927 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.141810894 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141926050 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141941071 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.141952038 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.141968012 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.142009020 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.257436037 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.257530928 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.352499962 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.352528095 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.352540016 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.352550983 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.352564096 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.352680922 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.352705956 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.352725029 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.352778912 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.352932930 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.353018045 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.356295109 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.356323004 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.356339931 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.356391907 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.356477976 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.356553078 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.356966972 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.356998920 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.357018948 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.357222080 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.357237101 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.357264996 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.357285023 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.357300997 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.357311964 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.357326984 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.357376099 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.357403040 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.358589888 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.358609915 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.358633995 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.358933926 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.359224081 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.359244108 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.359316111 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.359391928 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.359833002 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.359905958 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.359925985 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.359944105 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.359987974 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.360414028 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360517025 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360551119 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360582113 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.360598087 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360615969 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360630989 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360656977 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.360688925 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.360740900 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360757113 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360771894 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360814095 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.360918999 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360944033 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360964060 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.360972881 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.361010075 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.361027956 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.361046076 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.361062050 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.361078024 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.361102104 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.361118078 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.361134052 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.361181021 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.472209930 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.476305008 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.476344109 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.476445913 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.569529057 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.569603920 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.569634914 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.569677114 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.569868088 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.569891930 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.569916010 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.569941044 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.569958925 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.569978952 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.570003986 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.570024967 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.570045948 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.570768118 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.570848942 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.570874929 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.570908070 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.570950031 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.571166039 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.571193933 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.571227074 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.571248055 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.573467016 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.573496103 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.573565006 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.573618889 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.573646069 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.573673964 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.573695898 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.573735952 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.573900938 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.573928118 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.573950052 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.573992968 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.575855017 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.575922012 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.576204062 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576231003 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576253891 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576277018 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576291084 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.576313972 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576353073 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576365948 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.576389074 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576410055 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.576477051 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576508999 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576529980 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.576543093 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576567888 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576582909 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.576602936 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576630116 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576651096 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576669931 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.576688051 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576713085 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.576726913 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576821089 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.576843023 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576864958 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576889992 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.576914072 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.577119112 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577145100 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577176094 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.577193022 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577223063 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577243090 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.577255011 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577277899 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577321053 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.577389002 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577442884 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577470064 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577488899 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.577506065 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577516079 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.577539921 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577562094 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577579021 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.577594042 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.577632904 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.578146935 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.578193903 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.578248978 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.578551054 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.578588963 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.578612089 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.578638077 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.578645945 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.578670025 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.578684092 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.578764915 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.578788042 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.578809023 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:41.578815937 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:41.578866005 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:42.605185986 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:42.876087904 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:42.957989931 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:43.158235073 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:43.285751104 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:43.316215992 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:43.316361904 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:43.554105997 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:43.554208994 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:43.772237062 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:43.803431034 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:44.021226883 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:44.036614895 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:44.256335974 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:44.361480951 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:45.138947010 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:45.411493063 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:46.696307898 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:46.972630024 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:49.160463095 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:49.338932037 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:50.753717899 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:51.019412041 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:51.132257938 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:51.355078936 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:54.178292990 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:54.221616983 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:55.823834896 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:56.098367929 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:59.192580938 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:59.345015049 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:59.563528061 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:59.618309021 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:00.941781044 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:01.225953102 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:04.203138113 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:04.394345045 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:07.004158974 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:07.268516064 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:07.349877119 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:07.457688093 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:09.207076073 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:09.394752026 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:13.005378008 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:13.287619114 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:14.211071014 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:14.254612923 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:15.463009119 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:15.504745007 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:18.820755959 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:19.090205908 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:19.215512991 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:19.270539045 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:23.530303001 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:23.583410978 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:24.231628895 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:24.286648035 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:24.775528908 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:25.042639017 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:29.233972073 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:29.287038088 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:30.446949005 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:30.718627930 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:31.642788887 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:31.694650888 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:34.254287004 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:34.303055048 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:35.507812977 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:35.781110048 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:39.267179012 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:39.319120884 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:39.755887032 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:39.803538084 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:40.747428894 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:41.015407085 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:44.281168938 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:44.335131884 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:46.022635937 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:46.296509027 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:47.868266106 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:47.913661003 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:49.287532091 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:49.335608959 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:51.946204901 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:52.223588943 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:54.301498890 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:54.351655960 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:55.992669106 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:56.039226055 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:57.009180069 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:59:57.270100117 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:59.308209896 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:59:59.352049112 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 12:00:02.135143042 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 12:00:02.403928041 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 12:00:04.096982956 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 12:00:04.149291039 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 12:00:04.367585897 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 12:00:04.414961100 CET497402008192.168.2.4185.140.53.132

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 18, 2020 11:57:49.653585911 CET6529853192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:49.680577040 CET53652988.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:51.361126900 CET5912353192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:51.388252974 CET53591238.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:52.081000090 CET5453153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:52.116302013 CET53545318.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:52.512145996 CET4971453192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:52.539290905 CET53497148.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:53.606643915 CET5802853192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:53.636061907 CET53580288.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:56.131905079 CET5309753192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:56.159998894 CET53530978.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:56.959647894 CET4925753192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:56.986934900 CET53492578.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:58.039235115 CET6238953192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:58.082623005 CET53623898.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:58.933356047 CET4991053192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:58.960411072 CET53499108.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:59.713067055 CET5585453192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:59.740192890 CET53558548.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:00.418561935 CET6454953192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:00.445698023 CET53645498.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:01.297748089 CET6315353192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:01.333014011 CET53631538.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:02.099831104 CET5299153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:02.135205030 CET53529918.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:02.771399021 CET5370053192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:02.798860073 CET53537008.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:03.486097097 CET5172653192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:03.513406992 CET53517268.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:04.210117102 CET5679453192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:04.237381935 CET53567948.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:05.015455961 CET5653453192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:05.042644024 CET53565348.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:05.695656061 CET5662753192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:05.722738981 CET53566278.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:06.373281002 CET5662153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:06.400357008 CET53566218.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:07.033508062 CET6311653192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:07.089931011 CET53631168.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:07.712860107 CET6407853192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:07.739938021 CET53640788.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:22.398978949 CET6480153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:22.426115990 CET53648018.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:38.663141966 CET6172153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:38.700674057 CET53617218.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:39.067317009 CET5125553192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:39.094420910 CET53512558.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:45.577871084 CET6152253192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:45.617377043 CET53615228.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:47.066999912 CET5233753192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:47.123790979 CET53523378.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:49.170727015 CET5504653192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:49.206267118 CET53550468.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:49.522612095 CET4961253192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:49.558015108 CET53496128.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:50.000792027 CET4928553192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:50.027971029 CET53492858.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:50.745896101 CET5060153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:50.781511068 CET53506018.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:51.273139954 CET6087553192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:51.300228119 CET53608758.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:51.460912943 CET5644853192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:51.496370077 CET53564488.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:52.538747072 CET5917253192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:52.574165106 CET53591728.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:53.427572012 CET6242053192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:53.464175940 CET53624208.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:53.976187944 CET6057953192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:54.011662960 CET53605798.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:59:05.782891035 CET5018353192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:59:05.819732904 CET53501838.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:59:32.995410919 CET6153153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:59:33.022480965 CET53615318.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:59:35.417139053 CET4922853192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:59:35.444271088 CET53492288.8.8.8192.168.2.4

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                        Nov 18, 2020 11:58:38.663141966 CET192.168.2.48.8.8.80x4e5cStandard query (0)atacoinc8897.hopto.orgA (IP address)IN (0x0001)

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                        Nov 18, 2020 11:58:38.700674057 CET8.8.8.8192.168.2.40x4e5cNo error (0)atacoinc8897.hopto.org185.140.53.132A (IP address)IN (0x0001)

                                                                                        Code Manipulations

                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        Analysis Process: 7iatifHQEp.exe PID: 6388 Parent PID: 5872

                                                                                        General

                                                                                        Start time:11:57:54
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\Desktop\7iatifHQEp.exe'
                                                                                        Imagebase:0xae0000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: 7iatifHQEp.exe PID: 4652 Parent PID: 6388

                                                                                        General

                                                                                        Start time:11:58:32
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Imagebase:0x910000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.930001764.0000000004040000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: schtasks.exe PID: 4780 Parent PID: 4652

                                                                                        General

                                                                                        Start time:11:58:34
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
                                                                                        Imagebase:0x3b0000
                                                                                        File size:185856 bytes
                                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Chronological Activities

                                                                                        Analysis Process: conhost.exe PID: 3400 Parent PID: 4780

                                                                                        General

                                                                                        Start time:11:58:35
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff724c50000
                                                                                        File size:625664 bytes
                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Chronological Activities

                                                                                        Analysis Process: schtasks.exe PID: 3416 Parent PID: 4652

                                                                                        General

                                                                                        Start time:11:58:35
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'
                                                                                        Imagebase:0x3b0000
                                                                                        File size:185856 bytes
                                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Chronological Activities

                                                                                        Analysis Process: conhost.exe PID: 4824 Parent PID: 3416

                                                                                        General

                                                                                        Start time:11:58:36
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff724c50000
                                                                                        File size:625664 bytes
                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Chronological Activities

                                                                                        Analysis Process: 7iatifHQEp.exe PID: 5624 Parent PID: 968

                                                                                        General

                                                                                        Start time:11:58:36
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\Desktop\7iatifHQEp.exe 0
                                                                                        Imagebase:0x620000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: dhcpmon.exe PID: 6096 Parent PID: 968

                                                                                        General

                                                                                        Start time:11:58:38
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                                        Imagebase:0xfb0000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 15%, ReversingLabs
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: vlc.exe PID: 5728 Parent PID: 3424

                                                                                        General

                                                                                        Start time:11:58:39
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                                                                        Imagebase:0x540000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 15%, ReversingLabs
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: dhcpmon.exe PID: 6848 Parent PID: 3424

                                                                                        General

                                                                                        Start time:11:58:48
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                                        Imagebase:0x7ff77ba70000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: vlc.exe PID: 4640 Parent PID: 3424

                                                                                        General

                                                                                        Start time:11:58:56
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                                                                        Imagebase:0x100000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: 7iatifHQEp.exe PID: 5932 Parent PID: 5624

                                                                                        General

                                                                                        Start time:11:59:11
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Imagebase:0x5c0000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: vlc.exe PID: 684 Parent PID: 5728

                                                                                        General

                                                                                        Start time:11:59:12
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Imagebase:0x210000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: dhcpmon.exe PID: 4804 Parent PID: 6096

                                                                                        General

                                                                                        Start time:11:59:14
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Imagebase:0xbe0000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: vlc.exe PID: 3792 Parent PID: 5728

                                                                                        General

                                                                                        Start time:11:59:15
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Imagebase:0x880000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: dhcpmon.exe PID: 6988 Parent PID: 6848

                                                                                        General

                                                                                        Start time:11:59:26
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Imagebase:0x1d0000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: dhcpmon.exe PID: 6576 Parent PID: 6848

                                                                                        General

                                                                                        Start time:11:59:29
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Imagebase:0xd90000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: vlc.exe PID: 1500 Parent PID: 4640

                                                                                        General

                                                                                        Start time:11:59:30
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Imagebase:0x700000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Disassembly

                                                                                        Code Analysis

                                                                                        Reset < >

                                                                                          Analysis Process: 7iatifHQEp.exe PID: 6388 Parent PID: 5872 7iatifHQEp.exeCOMMON

                                                                                          Executed Functions

                                                                                          Function 07794AD0, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(00000000), ref: 07794C1C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: NameUser
                                                                                          • String ID:
                                                                                          • API String ID: 2645101109-0
                                                                                          • Opcode ID: b2af3c1d4dac2e4d69c3e70e1404aa68b1780dfd6bcfb97ec67f134016733d56
                                                                                          • Instruction ID: 47c88c9d8d055430973973ea99ff0da5272187a0302a32de14bf489eb7a350e7
                                                                                          • Opcode Fuzzy Hash: b2af3c1d4dac2e4d69c3e70e1404aa68b1780dfd6bcfb97ec67f134016733d56
                                                                                          • Instruction Fuzzy Hash: B65154B0D012588FDB14CFA9D884BDEBBF1BF49304F248429D816AB391D774A845CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07B6C270, Relevance: .7, Instructions: 670COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.756815188.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a861a2e7ea386193c585452a42c21c1e61e419753faef65d239b6971f49be28b
                                                                                          • Instruction ID: 5051245a495b112a29b995cd6d02f99c545af2571a9da9ebc31a793968b09991
                                                                                          • Opcode Fuzzy Hash: a861a2e7ea386193c585452a42c21c1e61e419753faef65d239b6971f49be28b
                                                                                          • Instruction Fuzzy Hash: BC525975A00524DFDB14DFA8C988A68BBB2FF49304F1581E8E64A9B366CB35EC51CF50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792E08, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0779303E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: 441712978d750e17ed0b5b4d2431fcc7f06c5ffbb24e3e5759ab6d43928efaf4
                                                                                          • Instruction ID: 36dc43f0fbdecc1c214a6fed1d5589453d72d3f06ec7a6221995afe01ab085de
                                                                                          • Opcode Fuzzy Hash: 441712978d750e17ed0b5b4d2431fcc7f06c5ffbb24e3e5759ab6d43928efaf4
                                                                                          • Instruction Fuzzy Hash: 40917CB1D01219DFDF10DFA8D8817EEBBB2BF48354F1489A9E809A7240DB749985CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792DFF, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0779303E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: 369c2349c84cb3b3a5710eba0c74c0a250f9935499a92f41e271826b3aa8abbc
                                                                                          • Instruction ID: e35071a9bf9be1d4768539868a1e02a117e0f876ec7841d9dbb63a7a78fad99b
                                                                                          • Opcode Fuzzy Hash: 369c2349c84cb3b3a5710eba0c74c0a250f9935499a92f41e271826b3aa8abbc
                                                                                          • Instruction Fuzzy Hash: 3A918CB1D01219DFDF10DFA8D8817EEBBB2BF48354F1489A9E809A7240DB749985CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02D696C8, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02D6990E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744656428.0000000002D60000.00000040.00000001.sdmp, Offset: 02D60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 9707f497f8c8114d025070b35b66ce2de18525f8ab0df7432820f71a23daa4bf
                                                                                          • Instruction ID: 5b72bcedf1b3c9f2ef5003b2dc9bb8a2537bdcdd13ea70d6fb814d82bb58bf3c
                                                                                          • Opcode Fuzzy Hash: 9707f497f8c8114d025070b35b66ce2de18525f8ab0df7432820f71a23daa4bf
                                                                                          • Instruction Fuzzy Hash: 07712470A00B058FD724DF6AC4587AAB7F1FF88214F008A2AD48ADBB50DB75E905CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07794AC4, Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(00000000), ref: 07794C1C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: NameUser
                                                                                          • String ID:
                                                                                          • API String ID: 2645101109-0
                                                                                          • Opcode ID: 21de59a2e2b31c2d4aada01f102ffff4bfd8a790189da22876005489a2f848bc
                                                                                          • Instruction ID: 28e26107ad246fa245618359490e185166212474f58595815cfcde6c1fbee5d1
                                                                                          • Opcode Fuzzy Hash: 21de59a2e2b31c2d4aada01f102ffff4bfd8a790189da22876005489a2f848bc
                                                                                          • Instruction Fuzzy Hash: 085143B0D012988FDB18CFA9D884BDEBBF1BF49304F148429E816AB391D774A945CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02D64170, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 02D656F1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744656428.0000000002D60000.00000040.00000001.sdmp, Offset: 02D60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: 9dc60b8960e28bc529c60453a3e49f59a53b81dee1473db5f4e2c5423a7f183a
                                                                                          • Instruction ID: d0eeed4276d7947a8ba6da128a82bd527047e692a5e34563ff49a8ad2eb6b3f5
                                                                                          • Opcode Fuzzy Hash: 9dc60b8960e28bc529c60453a3e49f59a53b81dee1473db5f4e2c5423a7f183a
                                                                                          • Instruction Fuzzy Hash: 5441CF71D04728CFDB24CFA9C888B9EBBB5BF48308F548069D409AB251DBB56946CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02D65635, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 02D656F1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744656428.0000000002D60000.00000040.00000001.sdmp, Offset: 02D60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: 0900e99c36e7a98a1a77990cb682d87b6b4124174d0a4df5cd2d22535b3c03c1
                                                                                          • Instruction ID: 723843cabc68afc960deb2bb0c059c8fea750ca8dd1b8e6312749ad87f0790dd
                                                                                          • Opcode Fuzzy Hash: 0900e99c36e7a98a1a77990cb682d87b6b4124174d0a4df5cd2d22535b3c03c1
                                                                                          • Instruction Fuzzy Hash: 6341E3B1D00318CFDB24CFA9C98879DBBF2BF48308F148469D409AB251D7B55986CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792AD8, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07792B70
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: f08a7ab1d6c91cd95f6f9961d97b30093f8fc4cd391a9074a58151efcc1661b6
                                                                                          • Instruction ID: 74d077d2da1e2f86d32150b7eb3f2d6e1c3bf3739911a9e36ab17862e83abd2d
                                                                                          • Opcode Fuzzy Hash: f08a7ab1d6c91cd95f6f9961d97b30093f8fc4cd391a9074a58151efcc1661b6
                                                                                          • Instruction Fuzzy Hash: 6F2168B19003499FCF10DFA9D884BEEBBF5FF48364F04842AE918A7240D7789944CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07B6B680, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CopyFileW.KERNELBASE(?,00000000,?), ref: 07B6B719
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.756815188.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CopyFile
                                                                                          • String ID:
                                                                                          • API String ID: 1304948518-0
                                                                                          • Opcode ID: db0b1af639e97feabca30f9d8e1a7af87a4d15a3e16a9bb465fcf047739d8f17
                                                                                          • Instruction ID: 07da5c1874951330b02e188899ce2e87b3f4b10630f0a9f906271c76a21562ad
                                                                                          • Opcode Fuzzy Hash: db0b1af639e97feabca30f9d8e1a7af87a4d15a3e16a9bb465fcf047739d8f17
                                                                                          • Instruction Fuzzy Hash: 8A2128B1D012199FDB50CF9AD484BEEFBF5EF48220F14816AE918E7241D7789A44CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792AE0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07792B70
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 1c074105c7695fa43346425c51b147a771b2e5cd618f67862994b69781c13815
                                                                                          • Instruction ID: a5bff19a4bea4519cae047dfbc9e63f11507836b64f48e1b882284455590cbb9
                                                                                          • Opcode Fuzzy Hash: 1c074105c7695fa43346425c51b147a771b2e5cd618f67862994b69781c13815
                                                                                          • Instruction Fuzzy Hash: E32127B19013599FCF10DFA9C884BEEBBF5FF48354F00842AE918A7240D778A944CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792940, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 077929C6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID:
                                                                                          • API String ID: 1591575202-0
                                                                                          • Opcode ID: d73b171f97ef00830afb6b2490056ff014714581db9c57b7d25387576feaa4ac
                                                                                          • Instruction ID: 7f5314b5ae0fc0972feb0fa263e43dd84152edb385d5b84b73f30dbf2f31a764
                                                                                          • Opcode Fuzzy Hash: d73b171f97ef00830afb6b2490056ff014714581db9c57b7d25387576feaa4ac
                                                                                          • Instruction Fuzzy Hash: B52139B19003099FCB10DFA9C4847EEBBF5FF48264F148429D559A7641C778A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02D6A414, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D6BB9E,?,?,?,?,?), ref: 02D6BC5F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744656428.0000000002D60000.00000040.00000001.sdmp, Offset: 02D60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: a9f4f98077e4d37e4300793ee5e1e7c10f21663f0fad5c9ea72d69eb0b92a195
                                                                                          • Instruction ID: 619ecd045249881965c2e8617efe0037e356f6c4700e7fe346c18bc27bc7b8dd
                                                                                          • Opcode Fuzzy Hash: a9f4f98077e4d37e4300793ee5e1e7c10f21663f0fad5c9ea72d69eb0b92a195
                                                                                          • Instruction Fuzzy Hash: 4C21F8B5900219DFDB10CFA9D588AEEBBF5FB48324F14841AE914B7310D374A954CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792BC9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07792C50
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: 747c07041f5d5a760d2678535763aefb4ef007b6d80ed6811f79ca8d159f0c64
                                                                                          • Instruction ID: eb441619283f87d1270e3d8ed82be6fb022d88293c247bb9e5bf106e165c7ff0
                                                                                          • Opcode Fuzzy Hash: 747c07041f5d5a760d2678535763aefb4ef007b6d80ed6811f79ca8d159f0c64
                                                                                          • Instruction Fuzzy Hash: A12116B18003599FCF10DFA9C884BEEBBF5FF48354F148829E959A7240C7789944CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792BD0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07792C50
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: 3923082b5e8c2cda8aa68a7de9a81ee17c3b714758b29e8801b8ec883de5c4fc
                                                                                          • Instruction ID: 84ca0b4cb65ebf081df91505041b86058040a3f54ad36353c0d447f2a7afdec6
                                                                                          • Opcode Fuzzy Hash: 3923082b5e8c2cda8aa68a7de9a81ee17c3b714758b29e8801b8ec883de5c4fc
                                                                                          • Instruction Fuzzy Hash: 412116B18003599FCF10DFA9C884BEEBBF5FF48354F108429E558A7240C7789944CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792948, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 077929C6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID:
                                                                                          • API String ID: 1591575202-0
                                                                                          • Opcode ID: 6f186d0d478641bbc0686a4ee281b42bf8a6c372029051e14e764c5ede0b9222
                                                                                          • Instruction ID: 4a3bb2f31b5474aa419ff088deb856b08ae392ab1b72c92e57eab2e651091ec5
                                                                                          • Opcode Fuzzy Hash: 6f186d0d478641bbc0686a4ee281b42bf8a6c372029051e14e764c5ede0b9222
                                                                                          • Instruction Fuzzy Hash: F82137B19003099FCB10DFAAC4847EEBBF4FB88264F14842AD559A7241CB78A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02D6BBD3, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D6BB9E,?,?,?,?,?), ref: 02D6BC5F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744656428.0000000002D60000.00000040.00000001.sdmp, Offset: 02D60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: ea25909c38e2409fc64a221be723d21b037cb90421fbd89dbb91bc3fde19c3dc
                                                                                          • Instruction ID: 3a36ce43c96f9c1db75254f479c370fe7b6239a43aa2bf855353d7aad447f997
                                                                                          • Opcode Fuzzy Hash: ea25909c38e2409fc64a221be723d21b037cb90421fbd89dbb91bc3fde19c3dc
                                                                                          • Instruction Fuzzy Hash: 1D21F5B5900219AFDB10CFA9D984AEEBBF5FB48324F14841AE914B3310D374AA44CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792861, Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 9c3e38c43effeddaaa687fc9e6dab1b838415d931a481c27871b7bb9d02ea064
                                                                                          • Instruction ID: 7edd79f228d390625ca88bdd109edec3d72fa854df5706c177a86918abc2e52e
                                                                                          • Opcode Fuzzy Hash: 9c3e38c43effeddaaa687fc9e6dab1b838415d931a481c27871b7bb9d02ea064
                                                                                          • Instruction Fuzzy Hash: 6A117CB1A042058FCB04DFA9D844BEEFBF1AF88364F14842DD518EB251DB79A945CB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792A18, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07792A8E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 17ef8850f55911669024c3f85bf73644b1e7128c3085a4ff5625b17d7386a8b7
                                                                                          • Instruction ID: d28c195bc0b0d5a2a6e9816db72c41816e888158f357d3fb3107f366b0f4f6a6
                                                                                          • Opcode Fuzzy Hash: 17ef8850f55911669024c3f85bf73644b1e7128c3085a4ff5625b17d7386a8b7
                                                                                          • Instruction Fuzzy Hash: 1A1114B69002499FCF10DFAAD844BEEBBF5EF48364F148829E915A7250C775A944CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02D68A10, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D69989,00000800,00000000,00000000), ref: 02D69B9A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744656428.0000000002D60000.00000040.00000001.sdmp, Offset: 02D60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 6fc80c192670dd74cd9be1bdef65983cb4fb2eb1b1dfe40c288c13f41b99dd9c
                                                                                          • Instruction ID: f14221b33114d8a9fc796b882b455ccaa00cc21fe9feff7b8b2eff4234f3f1e6
                                                                                          • Opcode Fuzzy Hash: 6fc80c192670dd74cd9be1bdef65983cb4fb2eb1b1dfe40c288c13f41b99dd9c
                                                                                          • Instruction Fuzzy Hash: A911D6B69003099FCB10CF9AD488BEEFBF4EB48354F14856AD519A7700C3B4A945CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792A20, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07792A8E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: f0767333527862d3bcc99c4b5044ab51c8c1fb43df373a365cee5e9315b7777b
                                                                                          • Instruction ID: 6d6d10915dd111358cc93f62c182ee145ec2f2600da3d4f2171fabf1105bd1f5
                                                                                          • Opcode Fuzzy Hash: f0767333527862d3bcc99c4b5044ab51c8c1fb43df373a365cee5e9315b7777b
                                                                                          • Instruction Fuzzy Hash: 701126B69002499FCF10DFAAC844BEFBBF5EF48364F148829E915A7250C775A944CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02D69B28, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D69989,00000800,00000000,00000000), ref: 02D69B9A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744656428.0000000002D60000.00000040.00000001.sdmp, Offset: 02D60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 2e67adfd6538047054e0b342584be98f29724df3efe8b975bce44efa71783337
                                                                                          • Instruction ID: b6e29cc6e21a86f083b2fda6e0eff36910fa09e1ae5858084f71bd44b95359e3
                                                                                          • Opcode Fuzzy Hash: 2e67adfd6538047054e0b342584be98f29724df3efe8b975bce44efa71783337
                                                                                          • Instruction Fuzzy Hash: A91114B69002498FCB10CFA9C588BEEFBF4EB48314F04842AD459A7300C374A945CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792891, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 54946643993be87a66bb3b6280394723fb2df4931d4cc7e764f59e0251dd66b8
                                                                                          • Instruction ID: 453dfbbfdf71e59d31ccf274b3087a109c1e566c01dce5e00aad6fa6b681a019
                                                                                          • Opcode Fuzzy Hash: 54946643993be87a66bb3b6280394723fb2df4931d4cc7e764f59e0251dd66b8
                                                                                          • Instruction Fuzzy Hash: 6E1128B1D043499FCB10DFAAD4487EEFBF5EB88264F148829D519A7240C775A944CBA4
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07792898, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: b4a21cd904c6ec2d3e8544c0788cfb6572f8a0d32bed54bd64f8343b6ce193a3
                                                                                          • Instruction ID: f15ffb81a347407762bd7d74af0750bde0e9330627bfc53bb1b949a89b2fa0c0
                                                                                          • Opcode Fuzzy Hash: b4a21cd904c6ec2d3e8544c0788cfb6572f8a0d32bed54bd64f8343b6ce193a3
                                                                                          • Instruction Fuzzy Hash: B51136B1D043498FCB10DFAAC4487EFFBF5EB88264F148829C519A7240C779A944CBA4
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07793368, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0779558D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: 892f67606f85ac2763124e9dcf3500cb134549388bc7e79abb4a3e8b2cf376c1
                                                                                          • Instruction ID: 2ee5cb210b1b86193805a6bd11b26051573628f047c36a1bbfe4eeb3b8d83342
                                                                                          • Opcode Fuzzy Hash: 892f67606f85ac2763124e9dcf3500cb134549388bc7e79abb4a3e8b2cf376c1
                                                                                          • Instruction Fuzzy Hash: 731106B59003599FCB10DF99D488BDEBBF9FB48324F108459E515A7240D3B4A954CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02D698A8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02D6990E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744656428.0000000002D60000.00000040.00000001.sdmp, Offset: 02D60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 92679e6a8f691d2da69d7e093d981955bdd90fa85b8ef7a4e8ece4b02d79a39e
                                                                                          • Instruction ID: dc53b28f72e6b4bbe1232fb2a969c36fa8e46a62846057d91e2729725421e7a6
                                                                                          • Opcode Fuzzy Hash: 92679e6a8f691d2da69d7e093d981955bdd90fa85b8ef7a4e8ece4b02d79a39e
                                                                                          • Instruction Fuzzy Hash: 8111E3B5D003498FCB10CF9AC448BDEFBF4EB88224F14855AD419A7700D375A545CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07795529, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0779558D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: c84e405d92a24b512747d3712fa4bb1bf7e9bb0a89a8457f5891802be0997968
                                                                                          • Instruction ID: 4ced5839b55f58374dce3e3b1ea787f15f7ece5bf651fd38d956ac75a6e0c2f9
                                                                                          • Opcode Fuzzy Hash: c84e405d92a24b512747d3712fa4bb1bf7e9bb0a89a8457f5891802be0997968
                                                                                          • Instruction Fuzzy Hash: D71115B5800359AFDB10CF99D488BDFBBF8FB48324F14841AE915A7600C3B4A684CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0114D4D8, Relevance: .1, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744096748.000000000114D000.00000040.00000001.sdmp, Offset: 0114D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f567b8cdf5554d4dd43ff129743cc21fa8c8e0507e5b37efaaf567529f433592
                                                                                          • Instruction ID: cccda8dc3c34ffad060e4114c2ccec3f6f5950bad73ba872b1722c54ac800ccb
                                                                                          • Opcode Fuzzy Hash: f567b8cdf5554d4dd43ff129743cc21fa8c8e0507e5b37efaaf567529f433592
                                                                                          • Instruction Fuzzy Hash: 5F21C271504240DFDF098F54E4C0B26BF71FB94718F2485A9E9444F216C736D516CBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0147D034, Relevance: .1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744414910.000000000147D000.00000040.00000001.sdmp, Offset: 0147D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 19a011ce25e0f409046b7be8612c4e04db3a936c99446df27bbd565798db4af1
                                                                                          • Instruction ID: 9e8d517a3818cce97b9ed33b85b3781ce50800f8414cb536624836243ab084c6
                                                                                          • Opcode Fuzzy Hash: 19a011ce25e0f409046b7be8612c4e04db3a936c99446df27bbd565798db4af1
                                                                                          • Instruction Fuzzy Hash: B011E4B5904280DFDB16CF54D8C0B56BBA1FF84318F24C5AED8494B356C376D807CA51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0114D56A, Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744096748.000000000114D000.00000040.00000001.sdmp, Offset: 0114D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7c25490c2b77995f49620b461596cae8e0eabafd605d53eb102a9268acc9770f
                                                                                          • Instruction ID: 0fd8f81a8c311f025b4ebf0023807b648428704cdf9915d28e6c258c9f1d4d97
                                                                                          • Opcode Fuzzy Hash: 7c25490c2b77995f49620b461596cae8e0eabafd605d53eb102a9268acc9770f
                                                                                          • Instruction Fuzzy Hash: B7116AB5900240DFCF1ACF54E584B56BF72FB98328F2486A9D8490A61AC336D556CBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0147D0BD, Relevance: .0, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744414910.000000000147D000.00000040.00000001.sdmp, Offset: 0147D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6815a4695fc126e01aa731a41ac7c12442ef6b9e3d4c7329de5cbf08a030575e
                                                                                          • Instruction ID: 4ca211b376af4d4420f67aedd1a8dd9266c1596261d086ea2dca17d7f93cda91
                                                                                          • Opcode Fuzzy Hash: 6815a4695fc126e01aa731a41ac7c12442ef6b9e3d4c7329de5cbf08a030575e
                                                                                          • Instruction Fuzzy Hash: 39119EB5904280DFCB16CF54D584B56BBA2FF84318F24C6AAD8094B356C336D417CB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions

                                                                                          Function 07796750, Relevance: .3, Instructions: 349COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 48a7ddf21372094367529a80413c07aee95ea6b3f0babf0cc3c58c94d3e87e1e
                                                                                          • Instruction ID: 574360f25ad0171005c6c14142ea441aa11ab0c87c852d5ff076dc116262d4ad
                                                                                          • Opcode Fuzzy Hash: 48a7ddf21372094367529a80413c07aee95ea6b3f0babf0cc3c58c94d3e87e1e
                                                                                          • Instruction Fuzzy Hash: CED1B9B07026018FDB19DB65D464BAAB7F6EF89380F20897EC505CB290DB35E902CB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02D6E898, Relevance: .3, Instructions: 315COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744656428.0000000002D60000.00000040.00000001.sdmp, Offset: 02D60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bcddbd97e539805b23a91046d24423314a1153aad88390a07e7cc5a9d659a451
                                                                                          • Instruction ID: 006dbf44a25352cf236cab09a92711ab037f018e71318d0e6cde22135a199693
                                                                                          • Opcode Fuzzy Hash: bcddbd97e539805b23a91046d24423314a1153aad88390a07e7cc5a9d659a451
                                                                                          • Instruction Fuzzy Hash: 3F1297F1421F468AD731CF65E89B2993FE9B755328F90420CE2615FAD1DBB4124ACF84
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02D6C284, Relevance: .3, Instructions: 265COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744656428.0000000002D60000.00000040.00000001.sdmp, Offset: 02D60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 23784eebd1e716d989920212feff8d79b96b27c9875470fbc9a04b8ae8654857
                                                                                          • Instruction ID: af1640ab8b9c3f55eaf1bfe1ec369d76350489e0aced48c3bc41ad681e93bce8
                                                                                          • Opcode Fuzzy Hash: 23784eebd1e716d989920212feff8d79b96b27c9875470fbc9a04b8ae8654857
                                                                                          • Instruction Fuzzy Hash: 39A16D36E1061A8FCF15DFA5D8489AEBBB7FF84300B15856AE805AB361DB31AD05CF50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07790007, Relevance: .2, Instructions: 228COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.754986755.0000000007790000.00000040.00000001.sdmp, Offset: 07790000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0d1d65f8c1212a1baa3575a19520355146d5ea2a8e2c348a428f4dabed46e13e
                                                                                          • Instruction ID: 70c304281f1d0cceb70f735d039b79f0009a50747ec73fdf724cc788d7583765
                                                                                          • Opcode Fuzzy Hash: 0d1d65f8c1212a1baa3575a19520355146d5ea2a8e2c348a428f4dabed46e13e
                                                                                          • Instruction Fuzzy Hash: C491C2B4B26606CFDF54CB5CE8447AEB7F2EB49344F08867AC01AD7641D335A884CB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02D6E888, Relevance: .2, Instructions: 221COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.744656428.0000000002D60000.00000040.00000001.sdmp, Offset: 02D60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f927ccae255ad7234dd0143555ee739b935dd4ef83549241a2810b6e3403b112
                                                                                          • Instruction ID: 0a1aa05be19ba3379dc2c89e044914a37f5340f3441cb9a868471114225319e3
                                                                                          • Opcode Fuzzy Hash: f927ccae255ad7234dd0143555ee739b935dd4ef83549241a2810b6e3403b112
                                                                                          • Instruction Fuzzy Hash: 38C1F8B1821F468AD721DF65E88B2997FB9BB85328F50430CE1616F6D0DFB4124ACF84
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07B6BBF8, Relevance: .1, Instructions: 145COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.756815188.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: db460c2415a490ef7f4297bdc2945fc2b7c3c96bbf6941b61ffa8b930d8bb9a8
                                                                                          • Instruction ID: 0cd06eafc72fe42869eccc5904871427f2392b03bca2513850bcdf332c00ab88
                                                                                          • Opcode Fuzzy Hash: db460c2415a490ef7f4297bdc2945fc2b7c3c96bbf6941b61ffa8b930d8bb9a8
                                                                                          • Instruction Fuzzy Hash: 6C518070E146298BD74CEF77E44169ABBF3ABC5208F04D639C5059B228EB785909DB50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Analysis Process: 7iatifHQEp.exe PID: 4652 Parent PID: 6388 7iatifHQEp.exeCOMMON

                                                                                          Executed Functions

                                                                                          Function 0526F5F8, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3bf6dd00d552761b994ef133a55b604104bbf29a2ef57cfa1215a660ff93b495
                                                                                          • Instruction ID: ed2436eb4d32ede257b4d165f7a7da967f5b14878adb924d6c7b08320ab5cbce
                                                                                          • Opcode Fuzzy Hash: 3bf6dd00d552761b994ef133a55b604104bbf29a2ef57cfa1215a660ff93b495
                                                                                          • Instruction Fuzzy Hash: 93F16C35A10209CFDB14DFA5D984BADBBF2BF48304F158168D419AF299DBB4E985CB40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0120B6C0, Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0120B730
                                                                                          • GetCurrentThread.KERNEL32 ref: 0120B76D
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0120B7AA
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0120B803
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: 33f3c30158d7a841468c33d4dd26651456a8e7a86ac820df4eb3774246fa11e0
                                                                                          • Instruction ID: c25db4e7ffa3988c47cf8f3734a1933b095c73da7fa341d334e8fa991610cd51
                                                                                          • Opcode Fuzzy Hash: 33f3c30158d7a841468c33d4dd26651456a8e7a86ac820df4eb3774246fa11e0
                                                                                          • Instruction Fuzzy Hash: B85174B4D002498FDB54CFA9C588BEEBBF0BF48308F248659E019A73A1C7749945CF66
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0120B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0120B730
                                                                                          • GetCurrentThread.KERNEL32 ref: 0120B76D
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0120B7AA
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0120B803
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: b0d1def3f878de546f063118bb99d57fa8bddb4fd76130a8689030104fb95d00
                                                                                          • Instruction ID: 3f4e81fc77c9903e8337f7bd5aff9e6ca595fccae5ede8873c442ee6902cbd77
                                                                                          • Opcode Fuzzy Hash: b0d1def3f878de546f063118bb99d57fa8bddb4fd76130a8689030104fb95d00
                                                                                          • Instruction Fuzzy Hash: 3D5165B4D002498FDB58CFA9C588BDEBBF0BF48308F248559E019A73A0C7749944CF65
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 052617E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fca5b00740f60ee9340d0f2822784a56b6a0b64b700614ed7c07e941f886ccae
                                                                                          • Instruction ID: 5ff36433c5b6a01a85be129ecc30c4878217483b9bab22686b1ca8c86bcd15d7
                                                                                          • Opcode Fuzzy Hash: fca5b00740f60ee9340d0f2822784a56b6a0b64b700614ed7c07e941f886ccae
                                                                                          • Instruction Fuzzy Hash: D3226F78F24206CFCB14CB98D588ABEBBB2FF89310F248556D516A7364C774A8C1CB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0526E190, Relevance: 1.7, APIs: 1, Instructions: 218threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0526E289
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CurrentThread
                                                                                          • String ID:
                                                                                          • API String ID: 2882836952-0
                                                                                          • Opcode ID: 846ea2cd9470d38392bb54d0d343a9996edec5c8483a5ddab39c1e0bcaa0bde3
                                                                                          • Instruction ID: aa71283b11145dc9ee112fd778b635bfa4d502a15c1db65ac814aaedbd52e7e1
                                                                                          • Opcode Fuzzy Hash: 846ea2cd9470d38392bb54d0d343a9996edec5c8483a5ddab39c1e0bcaa0bde3
                                                                                          • Instruction Fuzzy Hash: A881AC74E142588FCB14DFA4C844BAEBBF6FF88304F15842AD419AB350DB74A985CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 012093E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0120962E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 94a4b8d43af74456ca31c48d293d920ed8b1c274cd8f92ff161d3ac396997dcd
                                                                                          • Instruction ID: 5e46c279ecd06d823b5d260bd45991eaf9b5a30228c885010540bb4e4a954220
                                                                                          • Opcode Fuzzy Hash: 94a4b8d43af74456ca31c48d293d920ed8b1c274cd8f92ff161d3ac396997dcd
                                                                                          • Instruction Fuzzy Hash: 80715670A10B068FDB25CF29D04076ABBF1FF88208F008A2DD19AD7A91D734E845CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0526E179, Relevance: 1.6, APIs: 1, Instructions: 142threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0526E289
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CurrentThread
                                                                                          • String ID:
                                                                                          • API String ID: 2882836952-0
                                                                                          • Opcode ID: 8749a18161dc8ac0cbd7cb0b15ccc573f912572e28150e2f4d0beb18b08e66f2
                                                                                          • Instruction ID: bb91e80e9f09b74b33576bd4e508187a637bdb79e0a0cc76fba8e135962e4f40
                                                                                          • Opcode Fuzzy Hash: 8749a18161dc8ac0cbd7cb0b15ccc573f912572e28150e2f4d0beb18b08e66f2
                                                                                          • Instruction Fuzzy Hash: 84518974E143598FCF15DFA4C854AEEBBFABF48304F15852AD415AB250DB709886CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 066D190C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 066D3738
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.934733426.00000000066D0000.00000040.00000001.sdmp, Offset: 066C0000, based on PE: true
                                                                                          • Associated: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp Download File
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Query_
                                                                                          • String ID:
                                                                                          • API String ID: 428220571-0
                                                                                          • Opcode ID: dc728f984eef58f9b9abf719930d2cef91c6cd103ab9ec5786b99ea760ec4e84
                                                                                          • Instruction ID: cd920bdbf9f0c92b56a90804c323739f9f554214e56f8619843e9aac51de9fc5
                                                                                          • Opcode Fuzzy Hash: dc728f984eef58f9b9abf719930d2cef91c6cd103ab9ec5786b99ea760ec4e84
                                                                                          • Instruction Fuzzy Hash: 065101B1D002589FDB50CFA9C880ADEBBB1BF49304F648529E814BB340DBB4A946CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0120FB6F, Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0120FD0A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: a764e2801b3c83d4c4548aeea53c86b313b8e015b1b3e758b0628bab96bf3916
                                                                                          • Instruction ID: d282e7a01b7646ff600a1e49d15d8ef4b59955de5650c640a283c7144aa2d241
                                                                                          • Opcode Fuzzy Hash: a764e2801b3c83d4c4548aeea53c86b313b8e015b1b3e758b0628bab96bf3916
                                                                                          • Instruction Fuzzy Hash: 36510FB1D103499FDF15CFA9C880ADEBFB1BF48314F24822AE818AB251D7749985CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0120FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0120FD0A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: b4758a4b11e9436ee32710d81e064a71d9e1fc3c3b68934363939ea74b640839
                                                                                          • Instruction ID: d60eedb0d1260d9291d1f5db279e31ddb30c77af2ec100eea882a4a4ac78aa47
                                                                                          • Opcode Fuzzy Hash: b4758a4b11e9436ee32710d81e064a71d9e1fc3c3b68934363939ea74b640839
                                                                                          • Instruction Fuzzy Hash: 4841F0B1D103099FDF14CF9AC980ADEBBB5FF48314F24822AE818AB250D7749945CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 05263474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 052646B1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: c1897d6dfb0f936f921f5cb66f7a22957b370b5169ce37434aeed2a961b509bd
                                                                                          • Instruction ID: d3cadd15662b64e9dee4c81843be24e3dae43bb49abdf8ffd0e07a2833054c9b
                                                                                          • Opcode Fuzzy Hash: c1897d6dfb0f936f921f5cb66f7a22957b370b5169ce37434aeed2a961b509bd
                                                                                          • Instruction Fuzzy Hash: 6C41DF71C0421CCFDB24DFA9C884B9EBBB5BF49304F218069D409AB254DBB5698ACF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 052645F4, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 052646B1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: 3f092cfc2fad0ce129a12dbfc19b65c3f588d5e80483f2ecfe4df4573f2d3883
                                                                                          • Instruction ID: a5a4409c7b11171c49843f7e516616c944721c9de8681b6a6f0326b720ec5e57
                                                                                          • Opcode Fuzzy Hash: 3f092cfc2fad0ce129a12dbfc19b65c3f588d5e80483f2ecfe4df4573f2d3883
                                                                                          • Instruction Fuzzy Hash: DB41F1B1C04218CFDF24DFA9C884BDEBBB5BF49304F158069D409AB254D7B5698ACF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 05262470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 05262531
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CallProcWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2714655100-0
                                                                                          • Opcode ID: b6323f4c066c579f5a9cd934dc73996c28c7de3fe4075547d6a9f13fcc165cad
                                                                                          • Instruction ID: 2eba9d09dff9752acacdfa58bcc1c16d5370348d376bed3d0001b723e6a4bc79
                                                                                          • Opcode Fuzzy Hash: b6323f4c066c579f5a9cd934dc73996c28c7de3fe4075547d6a9f13fcc165cad
                                                                                          • Instruction Fuzzy Hash: 1B410BB9910205CFCB24CF99C488BAABBF6FF88314F24C559D519AB321D774A941CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0526B889, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0526B957
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateFromIconResource
                                                                                          • String ID:
                                                                                          • API String ID: 3668623891-0
                                                                                          • Opcode ID: f6002bf497ee0594c4f9920749aabccc110d02e1a2ef45d9df52a187b2f3abdc
                                                                                          • Instruction ID: 8ce061a59a446085c1eab8733c02e596f5db1493e13c341e20a8d55dcc56ee93
                                                                                          • Opcode Fuzzy Hash: f6002bf497ee0594c4f9920749aabccc110d02e1a2ef45d9df52a187b2f3abdc
                                                                                          • Instruction Fuzzy Hash: E931AAB2904289AFCB019FA9D840ADEBFF8EF19310F08805AE554A7251C3399990CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0120BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0120BD87
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: ca1bdb2bd736bd2fdcaf596852c82a58d44d7e122e5c5b8c29ea66e025ece049
                                                                                          • Instruction ID: 96f7efaebb545f30bd70b3b748787507b8d6929fc5bd567e183b8073d5407634
                                                                                          • Opcode Fuzzy Hash: ca1bdb2bd736bd2fdcaf596852c82a58d44d7e122e5c5b8c29ea66e025ece049
                                                                                          • Instruction Fuzzy Hash: 6D21E3B59002099FDB10CF9AD884ADEFBF8FB48320F14801AE914A7250D378A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0120BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0120BD87
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: f2e443b30db5020ac7d0ebb7827ba2484eb67e5979f66aac5d24ffe4c2b33c82
                                                                                          • Instruction ID: 4d4d0db41e07e81a38f4101f6ccb2a08a8fc9821b3bdb1e010133d8c5aaf894d
                                                                                          • Opcode Fuzzy Hash: f2e443b30db5020ac7d0ebb7827ba2484eb67e5979f66aac5d24ffe4c2b33c82
                                                                                          • Instruction Fuzzy Hash: 8921C2B59002499FDB10CFAAD884ADEFBF8FB48324F14851AE914A7350D378A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01209849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,012096A9,00000800,00000000,00000000), ref: 012098BA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: b49660d4a863e18da208b509a8137227554c20ac8e11429bc02443d1b4d29c25
                                                                                          • Instruction ID: cc7379d0f06ca489680f5bdc3432056f96951ea6de6f9ba2192172f3e40740d4
                                                                                          • Opcode Fuzzy Hash: b49660d4a863e18da208b509a8137227554c20ac8e11429bc02443d1b4d29c25
                                                                                          • Instruction Fuzzy Hash: AD1103B68002099FDF10CF9AD448BDEFBF4EB49314F14852AD519A7640C375A645CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01208768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,012096A9,00000800,00000000,00000000), ref: 012098BA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: b1648d4743485840c9aa22c191f254842b2b203971cf0097e0037faee8d9c7ce
                                                                                          • Instruction ID: 553f0362e4ad74d7fa01898e894822418c1b03234b2e06ef31aba7f67df1eedc
                                                                                          • Opcode Fuzzy Hash: b1648d4743485840c9aa22c191f254842b2b203971cf0097e0037faee8d9c7ce
                                                                                          • Instruction Fuzzy Hash: EF1122B68002098FDB10CF9AC444B9EFBF4EB48314F14852AD519A7701C3B5AA44CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0526B8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0526B957
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateFromIconResource
                                                                                          • String ID:
                                                                                          • API String ID: 3668623891-0
                                                                                          • Opcode ID: 9d532602017ab1ba095ce30dbb364b218176622cbc1be3deb534debf9773e904
                                                                                          • Instruction ID: d5c3e980a74ea4627346c155def6a7bbc14f817252fb131f06d73034067e001e
                                                                                          • Opcode Fuzzy Hash: 9d532602017ab1ba095ce30dbb364b218176622cbc1be3deb534debf9773e904
                                                                                          • Instruction Fuzzy Hash: 601119B68002499FDB10CFAAD884BDEBFF8EF48324F14841AE555B7210C379A954DFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 052632D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,011E53E8,00000000,?), ref: 0526E73D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: 6cb05da59fde80f07f448048d295ea9f92ef6b340a0975fbfb64b1038c00e5ca
                                                                                          • Instruction ID: 3eaf7144c1293366f47c70782d1795bf4ffad9d5909fb246ea528e578085ed49
                                                                                          • Opcode Fuzzy Hash: 6cb05da59fde80f07f448048d295ea9f92ef6b340a0975fbfb64b1038c00e5ca
                                                                                          • Instruction Fuzzy Hash: 8D11F8B58003499FDB50CF99C485BEFBBF8FB48324F148419E554A7640D3B8A984CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0526E6D8, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,011E53E8,00000000,?), ref: 0526E73D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: d4863547fcc09daacad0f50812ea087ea5c04d37d735cc873608645300dbe592
                                                                                          • Instruction ID: 026d4480d14586ed46de2af67eb3918dd4906aa4a4504c96eee00fe6b577f9d9
                                                                                          • Opcode Fuzzy Hash: d4863547fcc09daacad0f50812ea087ea5c04d37d735cc873608645300dbe592
                                                                                          • Instruction Fuzzy Hash: 4D1128B58002499FDB10CF99C885BEFBBF8FF48324F148419E554A3600D378AA85CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0120FE38, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetWindowLongW.USER32(?,?,?), ref: 0120FE9D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LongWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1378638983-0
                                                                                          • Opcode ID: e3e1e4a9c3d803a2b13fec50c285973c0e6e8bb050dcdd300e4ef3d844f0fe96
                                                                                          • Instruction ID: 8860fd05f123af45b507be319220e32d0ff1b939e0ccc7ef045de271042c0bd0
                                                                                          • Opcode Fuzzy Hash: e3e1e4a9c3d803a2b13fec50c285973c0e6e8bb050dcdd300e4ef3d844f0fe96
                                                                                          • Instruction Fuzzy Hash: 431136B58002488FDB20CF99D585BEEFBF8EB48324F248519D855B3641C379A945CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 012095C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0120962E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: c99d4e8a5da6cbc7c62b89dc004e9f0ad9053d26743f61687021f3f7e2399deb
                                                                                          • Instruction ID: f45dc5e4ff800e02a162e58f1815e5d25c93d3a7bbe6c75b9bb1818a5f39d172
                                                                                          • Opcode Fuzzy Hash: c99d4e8a5da6cbc7c62b89dc004e9f0ad9053d26743f61687021f3f7e2399deb
                                                                                          • Instruction Fuzzy Hash: 8211E0B6C002498FDB10CF9AC844BDEFBF4EB89224F14852AD529B7641C379A585CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 05261540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0526226A,?,00000000,?), ref: 0526C435
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 3850602802-0
                                                                                          • Opcode ID: 15072e8a774b2bb0b331f597ec8f1d39ac85575c122dcb56a12dff3f96c09242
                                                                                          • Instruction ID: 6aa8ca940b8dae887cac46532d978eef432adf5f64c9b79a2de7ee0a2feca1c6
                                                                                          • Opcode Fuzzy Hash: 15072e8a774b2bb0b331f597ec8f1d39ac85575c122dcb56a12dff3f96c09242
                                                                                          • Instruction Fuzzy Hash: 0B1106B58003499FCB10DF99D884BDEBBF8FB48324F108419E555B7600C3B5A984CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0526A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0526BCBD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 3850602802-0
                                                                                          • Opcode ID: 425dca0fc9f9221f103a1e229c8fb21a02639ab92bde227cdbf423d0ac0e938c
                                                                                          • Instruction ID: 5730345a5501fd15f9c7704a4e7c539b834d6f9544b96ae05c05ad9f5c97b61c
                                                                                          • Opcode Fuzzy Hash: 425dca0fc9f9221f103a1e229c8fb21a02639ab92bde227cdbf423d0ac0e938c
                                                                                          • Instruction Fuzzy Hash: 3F11F2B68003499FCB20CF99C488BDEBBF8FB48324F108419E515A7600C3B5AA84CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 052650D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00000018,00000001,?), ref: 0526D29D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 3850602802-0
                                                                                          • Opcode ID: 12ed093f4ddad0b6646e47576fd7c6b46186702e09b391c18305568b73125089
                                                                                          • Instruction ID: 70993326e9dbc4ad1a9998c019ff520ec4875bb3c71e84886c4b74d4f4c07be8
                                                                                          • Opcode Fuzzy Hash: 12ed093f4ddad0b6646e47576fd7c6b46186702e09b391c18305568b73125089
                                                                                          • Instruction Fuzzy Hash: 9511F2B59002499FDB10CF9AC488BDFBBF8FB48324F108419E915B7201C3B5A984CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0526D238, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00000018,00000001,?), ref: 0526D29D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 3850602802-0
                                                                                          • Opcode ID: 252010998e2056c34934c59f81b4bf5b179be0e5769c92d91acaedef97c99d08
                                                                                          • Instruction ID: 80ae63644282ad9a512c64f398df29c0b86971c90aa0d43a576d09f3994efe0e
                                                                                          • Opcode Fuzzy Hash: 252010998e2056c34934c59f81b4bf5b179be0e5769c92d91acaedef97c99d08
                                                                                          • Instruction Fuzzy Hash: A41106B58003499FDB10CF99D484BDEBFF8FB48324F148419E554A7640C3B9A584CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0526C3D0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0526226A,?,00000000,?), ref: 0526C435
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 3850602802-0
                                                                                          • Opcode ID: 75b0673dbf506961403294a9bea3b055fccbbec26276d8549c3900fcbcf9b276
                                                                                          • Instruction ID: aeb8dcf8c4c9ce608a68786b149176fa30c6b8cb7a021e5f17521f6f9011aee1
                                                                                          • Opcode Fuzzy Hash: 75b0673dbf506961403294a9bea3b055fccbbec26276d8549c3900fcbcf9b276
                                                                                          • Instruction Fuzzy Hash: 4411F2B58002499FDB10CF9AD488BDEBBF8EB48324F148819E559A7600C3B5A985CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0526F3D8, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OleInitialize.OLE32(00000000), ref: 0526F435
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Initialize
                                                                                          • String ID:
                                                                                          • API String ID: 2538663250-0
                                                                                          • Opcode ID: 565af9cb4aeec493cd916c78491a75d76aceb82a9296c1beac7a41d462ad2d99
                                                                                          • Instruction ID: d119199f3d4f51472108c79b7220aa3d64347c7b06647f2227e377bd34006ce8
                                                                                          • Opcode Fuzzy Hash: 565af9cb4aeec493cd916c78491a75d76aceb82a9296c1beac7a41d462ad2d99
                                                                                          • Instruction Fuzzy Hash: 8011FEB58042498FCB10DFAAD588BCEBBF8EF48324F148519D519A7604C3B9A984CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0526DC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OleInitialize.OLE32(00000000), ref: 0526F435
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Initialize
                                                                                          • String ID:
                                                                                          • API String ID: 2538663250-0
                                                                                          • Opcode ID: 3cb7804f37131e2503b4e6ed4c2c9f5c90afb1852d7730a515301c26e85c13c5
                                                                                          • Instruction ID: 4b02864a1e32c69fe20aa98324ba6ffaa98288b4611ef8b79f63b3052b257895
                                                                                          • Opcode Fuzzy Hash: 3cb7804f37131e2503b4e6ed4c2c9f5c90afb1852d7730a515301c26e85c13c5
                                                                                          • Instruction Fuzzy Hash: 201115B59042498FCB10CF9AD588BDEBBF4EF48324F14841AD519B7604D3B8A984CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0526BC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0526BCBD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.933416613.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 3850602802-0
                                                                                          • Opcode ID: 5bae160257fd9b7cc5e2d991eee7c95392de34327ad61443363a99c2d5f3dba2
                                                                                          • Instruction ID: 2a0770ec8398dbd1789dc601ae19fdb751f0a86effdb21b3a428d129420df4e9
                                                                                          • Opcode Fuzzy Hash: 5bae160257fd9b7cc5e2d991eee7c95392de34327ad61443363a99c2d5f3dba2
                                                                                          • Instruction Fuzzy Hash: 0811C2B58007499FDB50CF99D588BDFBBF8FB48324F148419E915A7640C3B9AA84CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0120FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetWindowLongW.USER32(?,?,?), ref: 0120FE9D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925715105.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LongWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1378638983-0
                                                                                          • Opcode ID: 4ddb35c03117ea99ccb96573438cceee7d89f7bc5e8a1a3149caff6c714154df
                                                                                          • Instruction ID: 51cfef8532cc659a1b9180c064ecd43f50e1db2e0c901cd8e96b6617d74c842d
                                                                                          • Opcode Fuzzy Hash: 4ddb35c03117ea99ccb96573438cceee7d89f7bc5e8a1a3149caff6c714154df
                                                                                          • Instruction Fuzzy Hash: 201103B58002498FDB10CF99D584BDFBBF8EB48324F10851AD914A7241C374A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0118D3B4, Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925318614.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a4bd1af8ba0816dd367b825cbbb0c022d430b98239621b7c2855b6a800b85761
                                                                                          • Instruction ID: b9cdc9f79ce4e56673afc7a83f7d86904c402bed59237ad87ff717e7b3911617
                                                                                          • Opcode Fuzzy Hash: a4bd1af8ba0816dd367b825cbbb0c022d430b98239621b7c2855b6a800b85761
                                                                                          • Instruction Fuzzy Hash: 9A2106B1504340DFDF09EF58E8C0F56BB65FB84324F24C569E9054B687C376E846CAA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0118D4A0, Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925318614.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7ff8619d3cea1bd07a862eccb8f82c6e048f62f2c9908ebc5a797f4ee0c33805
                                                                                          • Instruction ID: 04de41bf0237a2d451c959f0568ca15aa36e43e947385ca49352441d12338e49
                                                                                          • Opcode Fuzzy Hash: 7ff8619d3cea1bd07a862eccb8f82c6e048f62f2c9908ebc5a797f4ee0c33805
                                                                                          • Instruction Fuzzy Hash: 6021F4B1504340DFDF19EF98E8C0B66BB75FB88328F24C569E9054B296C376D845CBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0119D01C, Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925361008.000000000119D000.00000040.00000001.sdmp, Offset: 0119D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cbce098d1ad752685a1e5cc3622a246f1d7db97239c800a0ad121fa661519e6f
                                                                                          • Instruction ID: ee85514b2ff138b75d445804ffaa6ea5c7d44e8d524890028b21898aa5fe43f8
                                                                                          • Opcode Fuzzy Hash: cbce098d1ad752685a1e5cc3622a246f1d7db97239c800a0ad121fa661519e6f
                                                                                          • Instruction Fuzzy Hash: C9212571504200DFDF19CF54E4C4B16BB61FB84354F28C66DD9494B246C37AD806CA62
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0118D49B, Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925318614.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9cc53be5d9528aaeef22020894d931544b42b1ff85c6ad9c97e4528ce409d3a2
                                                                                          • Instruction ID: ebbcc6ac72995d87ed7a1338a2f6c2e7bc57353b690a2ac4673e94b39d38ab49
                                                                                          • Opcode Fuzzy Hash: 9cc53be5d9528aaeef22020894d931544b42b1ff85c6ad9c97e4528ce409d3a2
                                                                                          • Instruction Fuzzy Hash: 9811CDB6904280CFCF16DF44D5C4B16BF72FB84324F24C2AAD8054B256C33AD456CBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0118D3AF, Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925318614.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9cc53be5d9528aaeef22020894d931544b42b1ff85c6ad9c97e4528ce409d3a2
                                                                                          • Instruction ID: 7bfa4865c2864371343a8d2e66286412eb6cc65fe24879eb0aff86963b3c701d
                                                                                          • Opcode Fuzzy Hash: 9cc53be5d9528aaeef22020894d931544b42b1ff85c6ad9c97e4528ce409d3a2
                                                                                          • Instruction Fuzzy Hash: 5811CD76404280CFCF16CF58E5C4B56BF72FB84324F24C6A9D8050BA56C33AE456CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0119D017, Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.925361008.000000000119D000.00000040.00000001.sdmp, Offset: 0119D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3449b7ddefae3603575f8773fe3a6bc3d0f53576c6d927834e2d9db4c35367df
                                                                                          • Instruction ID: f4939346a5a63bccec346bae50107777b3172f98fcc3838f9f34967a16e93c01
                                                                                          • Opcode Fuzzy Hash: 3449b7ddefae3603575f8773fe3a6bc3d0f53576c6d927834e2d9db4c35367df
                                                                                          • Instruction Fuzzy Hash: 0E118E75504280DFDF16CF54E5C4B15BB62FB44314F28C6A9D8494B656C33AD44ACBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions

                                                                                          Analysis Process: 7iatifHQEp.exe PID: 5624 Parent PID: 968 7iatifHQEp.exeCOMMON

                                                                                          Executed Functions

                                                                                          Function 029EB9B0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 029EBA10
                                                                                          • GetCurrentThread.KERNEL32 ref: 029EBA4D
                                                                                          • GetCurrentProcess.KERNEL32 ref: 029EBA8A
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 029EBAE3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.832420763.00000000029E0000.00000040.00000001.sdmp, Offset: 029E0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID: @
                                                                                          • API String ID: 2063062207-935976969
                                                                                          • Opcode ID: 483ee44c1d275dfb08d692f4a4a5067837c822d8992bc69589fc83d4dc542eaa
                                                                                          • Instruction ID: 6a91ffa6368f86b8d982b10037f0e858c29e649563a4802f8eea7e5a24d4dfab
                                                                                          • Opcode Fuzzy Hash: 483ee44c1d275dfb08d692f4a4a5067837c822d8992bc69589fc83d4dc542eaa
                                                                                          • Instruction Fuzzy Hash: DE5144B09002498FDB50CFA9D988BDEBBF1BB88318F208459E41AA7250DB789944CF65
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 029E81C8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSystemMetrics.USER32(0000004B), ref: 029E823D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.832420763.00000000029E0000.00000040.00000001.sdmp, Offset: 029E0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MetricsSystem
                                                                                          • String ID: @
                                                                                          • API String ID: 4116985748-935976969
                                                                                          • Opcode ID: 9cd4d4130013a26934ef8e302b4da13ff4c2a077c384ca42a08e39617b56186a
                                                                                          • Instruction ID: 60c5033e04e649a2bfaca55bbf99f2186c64b2fb84d1493616cc159f22535893
                                                                                          • Opcode Fuzzy Hash: 9cd4d4130013a26934ef8e302b4da13ff4c2a077c384ca42a08e39617b56186a
                                                                                          • Instruction Fuzzy Hash: 1D31E234D04384CFCB11DFA5E4483EA7FF4AB55314F48489AD486A7242CB79D956CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2BCA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DF2C50
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID: W
                                                                                          • API String ID: 1726664587-655174618
                                                                                          • Opcode ID: 342307b8599c61831bb9989910916f3208486860c30256c1f9f0598d107ed16e
                                                                                          • Instruction ID: e4b977b30d79a11a86a95214af771b0535eb390f728eebe4788653c983a8d93b
                                                                                          • Opcode Fuzzy Hash: 342307b8599c61831bb9989910916f3208486860c30256c1f9f0598d107ed16e
                                                                                          • Instruction Fuzzy Hash: 062114B1D002499FCB50CFA9C884BEEBBF5FF48314F55842AE959A7240C778A944CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2942, Relevance: 3.1, APIs: 2, Instructions: 88threadinjectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ResumeThread.KERNELBASE(00000006), ref: 06DF28FA
                                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 06DF29C6
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Thread$ContextResume
                                                                                          • String ID:
                                                                                          • API String ID: 909585217-0
                                                                                          • Opcode ID: 6fc8309c461150bb1f12a0319b796daee54cc99933919d32c6ae1b264a48babf
                                                                                          • Instruction ID: 5ed36669d2757a03457ff929ed4c404b7f5ca113f58ddf940a321493c70d0a64
                                                                                          • Opcode Fuzzy Hash: 6fc8309c461150bb1f12a0319b796daee54cc99933919d32c6ae1b264a48babf
                                                                                          • Instruction Fuzzy Hash: 4C314A75D003098FCB50DFA9C4847EEBBF5EF88364F15842AD559A7640CB78AA44CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2DFE, Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DF303E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: f0d6193ccaa192b53f856ed3ebf4c627992c9fb9d5de410a5f710f386a64694d
                                                                                          • Instruction ID: 5adcde7692886d656f88712fc7cadcf2ffe0724d5d41c716dd611a3b54562fc3
                                                                                          • Opcode Fuzzy Hash: f0d6193ccaa192b53f856ed3ebf4c627992c9fb9d5de410a5f710f386a64694d
                                                                                          • Instruction Fuzzy Hash: 73A17E71D10319CFDB90CFA9C8817EDBBB2BF44304F1685A9D909A7240DB749A85CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2E08, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DF303E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: 7041b83b238c21bd96abd66bdbe8b21681f152ecf2ba14bf13788be8378ff04a
                                                                                          • Instruction ID: cac6f0c10af3cb9e21a7a3650768c9cc811645f42f82a4a994b70d1bb8c3eb98
                                                                                          • Opcode Fuzzy Hash: 7041b83b238c21bd96abd66bdbe8b21681f152ecf2ba14bf13788be8378ff04a
                                                                                          • Instruction Fuzzy Hash: 22918C71D10219DFDB50CFA9C8817EEBBB2BF48314F068569E909A7280DB749A85CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 029E96C8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 029E990E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.832420763.00000000029E0000.00000040.00000001.sdmp, Offset: 029E0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 84a42ef362b7267dc03883b87e37ed07e1be8e2a0ffe21ddbfd55e5d278369ba
                                                                                          • Instruction ID: 70d93edcc7e52b24c797b90a99c2512acaff634789adbf766329679fd2c09c9f
                                                                                          • Opcode Fuzzy Hash: 84a42ef362b7267dc03883b87e37ed07e1be8e2a0ffe21ddbfd55e5d278369ba
                                                                                          • Instruction Fuzzy Hash: 53713470A00B058FDB25CF69C44579ABBF5BF88304F008929D49ADBA50DB75E949CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF4AC4, Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(00000000), ref: 06DF4C1C
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: NameUser
                                                                                          • String ID:
                                                                                          • API String ID: 2645101109-0
                                                                                          • Opcode ID: 3586599324a6b3a77782fd17468f301158d5793fb452518c4329b261931242c0
                                                                                          • Instruction ID: 2f255b8e64d5be0ac95e17f8c2f3a2d70eff77c158ca2e55b19a4c046141664a
                                                                                          • Opcode Fuzzy Hash: 3586599324a6b3a77782fd17468f301158d5793fb452518c4329b261931242c0
                                                                                          • Instruction Fuzzy Hash: F2616670D002188FDB54CFA9C884BDEBBF1BF48304F158429E91AAB396DB749948CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF4AD0, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(00000000), ref: 06DF4C1C
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: NameUser
                                                                                          • String ID:
                                                                                          • API String ID: 2645101109-0
                                                                                          • Opcode ID: 280ce7847257f6a4a577f4bdb37c6818897cf79a63e3c7a93208febe853ef1d6
                                                                                          • Instruction ID: c563cafb22c359a64da248e5f319432f27d267357f9c6b7cf4bc4eff89163f61
                                                                                          • Opcode Fuzzy Hash: 280ce7847257f6a4a577f4bdb37c6818897cf79a63e3c7a93208febe853ef1d6
                                                                                          • Instruction Fuzzy Hash: EA514570D002588FDB14CFA9C484BDEBBF1BF48304F158429D91AAB396D778A848CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 029E5635, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 029E56F1
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.832420763.00000000029E0000.00000040.00000001.sdmp, Offset: 029E0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: 18f340bb833a8184860cb0f964b9df16370bc3342b3ca89a61678787ced0daf9
                                                                                          • Instruction ID: 8f7e51f41e1daa610e87c21052bbb1426ed36de689423c111819e96ad7c71e26
                                                                                          • Opcode Fuzzy Hash: 18f340bb833a8184860cb0f964b9df16370bc3342b3ca89a61678787ced0daf9
                                                                                          • Instruction Fuzzy Hash: 7F410270D00718CEDB24CFA9C8847DEBBF5BF88308F158069D409AB251DBB5694ACF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 029E4170, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 029E56F1
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.832420763.00000000029E0000.00000040.00000001.sdmp, Offset: 029E0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: d52f3e661466f4f760d6b932e31f01e3e356b293ecd4b57b6e9ab7e28bbdcd43
                                                                                          • Instruction ID: bb89e0d1cc1c905077a102d9934aa342deec0c8c38f9990ad609ed0cfc19a4f4
                                                                                          • Opcode Fuzzy Hash: d52f3e661466f4f760d6b932e31f01e3e356b293ecd4b57b6e9ab7e28bbdcd43
                                                                                          • Instruction Fuzzy Hash: 5C41C170D04718CEDB24CFA9C884B9EBBF5BF48308F518469D409AB251DBB56949CF94
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2AD8, Relevance: 1.6, APIs: 1, Instructions: 92injectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DF2B70
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: aabfa911151920a6435d8e9c3a10c18714bf88e4d941b975b4c4c3830045e9ce
                                                                                          • Instruction ID: d10d301300ad719fc8cbc9714fa7203624db64ec576675eaa0f0ce16caecc886
                                                                                          • Opcode Fuzzy Hash: aabfa911151920a6435d8e9c3a10c18714bf88e4d941b975b4c4c3830045e9ce
                                                                                          • Instruction Fuzzy Hash: C1314A75D003499FCB50CFA9D844BDEBBF5FF48364F15882AEA15A7240C778A944CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2A1A, Relevance: 1.6, APIs: 1, Instructions: 77memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DF2A8E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: e972d2a8f9f8a0cf5a663683e688ebf737171dee3ce2023dadde256e54d26223
                                                                                          • Instruction ID: 0d7c1125c3d71a733367a1a03177877903efa23e0a6b5487b3256edf3b7a19dc
                                                                                          • Opcode Fuzzy Hash: e972d2a8f9f8a0cf5a663683e688ebf737171dee3ce2023dadde256e54d26223
                                                                                          • Instruction Fuzzy Hash: 4E218B76D002498FCB10CFA9C844BEFBBF5EF88324F15842AD615A7240CB75AA54CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06E3B680, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CopyFileW.KERNELBASE(?,00000000,?), ref: 06E3B719
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859212279.0000000006E30000.00000040.00000001.sdmp, Offset: 06E30000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CopyFile
                                                                                          • String ID:
                                                                                          • API String ID: 1304948518-0
                                                                                          • Opcode ID: 856808ef1704669aaf8c4d5fefa7c9e0cba199fd6a2ab0fe437ec56ca189e2e6
                                                                                          • Instruction ID: 60cff78edca17ca1e73fa6d2999413170c2f7d5cee566116f32ae990f44f0ebc
                                                                                          • Opcode Fuzzy Hash: 856808ef1704669aaf8c4d5fefa7c9e0cba199fd6a2ab0fe437ec56ca189e2e6
                                                                                          • Instruction Fuzzy Hash: 84212BB5D012199FCB50CF99D485BEEFBF4EF48210F14816AD819AB245D7749A44CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2AE0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DF2B70
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 2619661face5525e842ed94301bd3592da7faa70e96645cc27bdc041a2a016b9
                                                                                          • Instruction ID: 22e29694cb7751bab8f3f640b7f15015a26ffb01706eea494ebaba041da1287d
                                                                                          • Opcode Fuzzy Hash: 2619661face5525e842ed94301bd3592da7faa70e96645cc27bdc041a2a016b9
                                                                                          • Instruction Fuzzy Hash: FF2126B59003499FCB50CFA9C884BDEBBF5FF48354F01842AE919A7240C778AA44CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 029EBBD3, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029EBC5F
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.832420763.00000000029E0000.00000040.00000001.sdmp, Offset: 029E0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 6bd9ded63e5c465a654ddca473815ca0624e190c81ed600acc77d8a146a7a1cc
                                                                                          • Instruction ID: e60146981e21f34169f99076016d697b3994825e48c39de727977256ef33bbc2
                                                                                          • Opcode Fuzzy Hash: 6bd9ded63e5c465a654ddca473815ca0624e190c81ed600acc77d8a146a7a1cc
                                                                                          • Instruction Fuzzy Hash: D821E3B59002489FDB10CFA9D984AEEBBF4FB48324F14841AE915B7210C374A945CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2BD0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DF2C50
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: dc67f13c866eb81a5b98985a54e575938e11d3e27aa4c3fb2e82e6eed0a2cf73
                                                                                          • Instruction ID: 0be950edb899d0c378d5b62b5f1a8abf5e30fdc546b61f38525b4115a592e8c0
                                                                                          • Opcode Fuzzy Hash: dc67f13c866eb81a5b98985a54e575938e11d3e27aa4c3fb2e82e6eed0a2cf73
                                                                                          • Instruction Fuzzy Hash: C72128B1C003499FCB10CFA9C884BEEBBF5FF48314F518429E559A7240C778A944CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2948, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 06DF29C6
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID:
                                                                                          • API String ID: 1591575202-0
                                                                                          • Opcode ID: 7c8142e68b9fa4d60928b9d669582da6d1ba2b1cdea8def3c362243f1e877600
                                                                                          • Instruction ID: ad5d4c46aa30c2583fa6c0168e8e12b0f540c1c510c41e9d5addb5d67e4823ed
                                                                                          • Opcode Fuzzy Hash: 7c8142e68b9fa4d60928b9d669582da6d1ba2b1cdea8def3c362243f1e877600
                                                                                          • Instruction Fuzzy Hash: 702138B1D003098FCB50DFAAC4847EEBBF4EF88354F55842AD559A7240CB78AA44CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 029EBBD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029EBC5F
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.832420763.00000000029E0000.00000040.00000001.sdmp, Offset: 029E0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: b973e0b74b42a80968ee725c6315bdc0988bfd8087293ef7aee793047ca10a5d
                                                                                          • Instruction ID: 93967adea526b71445468b8810d29d1ac1ffe1c08482fc859f681e02477f141f
                                                                                          • Opcode Fuzzy Hash: b973e0b74b42a80968ee725c6315bdc0988bfd8087293ef7aee793047ca10a5d
                                                                                          • Instruction Fuzzy Hash: 2421D3B5900259AFDF10CFA9D984ADEBBF8FB48324F14841AE915B7310D778A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2892, Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ResumeThread.KERNELBASE(00000006), ref: 06DF28FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: fbf6a1c2a9e259878d4161a25448b8697818345e2374299939eaae40dccba693
                                                                                          • Instruction ID: 8a66b6264c81d4938f0e21a456303fb55b2c2f7afc73a3c1b48d6fe55a3d3029
                                                                                          • Opcode Fuzzy Hash: fbf6a1c2a9e259878d4161a25448b8697818345e2374299939eaae40dccba693
                                                                                          • Instruction Fuzzy Hash: A3118971D003488BCB10DFE9D8447EEBBF8EF88314F10842AD519B7210CB75AA44CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 029E8A10, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029E9989,00000800,00000000,00000000), ref: 029E9B9A
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.832420763.00000000029E0000.00000040.00000001.sdmp, Offset: 029E0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 0b4c5f4989941262fd9ab0c5e5c811215c4580803c707b9ba6daeba7ed5fc40f
                                                                                          • Instruction ID: 125f13bd7ca9905972d22c789f80b631b029c5561eb85e4fafacabe0e476905e
                                                                                          • Opcode Fuzzy Hash: 0b4c5f4989941262fd9ab0c5e5c811215c4580803c707b9ba6daeba7ed5fc40f
                                                                                          • Instruction Fuzzy Hash: A211C2B69003499BDB10CF9AD444BDEBBF4EB48214F14856ED91AB7200C7B4A545CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 029E9B28, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029E9989,00000800,00000000,00000000), ref: 029E9B9A
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.832420763.00000000029E0000.00000040.00000001.sdmp, Offset: 029E0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: fd7ee7632ab42d89a3aa37c4eb494a3c89efd3655bbeefa0b3215d51ea5c89b2
                                                                                          • Instruction ID: d7d4680725ae5ebbe7c85d897d026d056849d568c4380e6d86d548c9156d2761
                                                                                          • Opcode Fuzzy Hash: fd7ee7632ab42d89a3aa37c4eb494a3c89efd3655bbeefa0b3215d51ea5c89b2
                                                                                          • Instruction Fuzzy Hash: FC1103B69002498FDF20CFAAD484BEEFBF4AB88314F14856ED456B7600C375A545CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2A20, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DF2A8E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: e9f3980bc8e74538cc5ab940621bc7c6550deef882a8a6c612145c0f84412e81
                                                                                          • Instruction ID: 3a24b8d62c922a5abd9823a27e1f28e6262c4c7d848713b1f3ecdc6bcb06343a
                                                                                          • Opcode Fuzzy Hash: e9f3980bc8e74538cc5ab940621bc7c6550deef882a8a6c612145c0f84412e81
                                                                                          • Instruction Fuzzy Hash: 3A1134759002499FCF10DFAAC844BEFBBF5EF88324F158819E615AB250C775A944CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF2898, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ResumeThread.KERNELBASE(00000006), ref: 06DF28FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 6783d1e61e2c27e81c681ca6a55f2dd9b37cd7e1841550922ef1af5d7a78046d
                                                                                          • Instruction ID: bedd41ad575ff1c4b21c06962c6d72e6a26b5e5f39b78583473a3d9804161a65
                                                                                          • Opcode Fuzzy Hash: 6783d1e61e2c27e81c681ca6a55f2dd9b37cd7e1841550922ef1af5d7a78046d
                                                                                          • Instruction Fuzzy Hash: B91128B1D003498BCB10DFAAC4447DFBBF5AB88324F158419C515A7240CB75A944CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF3368, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06DF558D
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: a804bd187585144158f8446a6889f1ea170b188dd06cc1c1e9b7b54e48f7021d
                                                                                          • Instruction ID: cafe6c9bad403ad6143b69bc956cf904b116fa2950f23f0db91596cb51b2a3ff
                                                                                          • Opcode Fuzzy Hash: a804bd187585144158f8446a6889f1ea170b188dd06cc1c1e9b7b54e48f7021d
                                                                                          • Instruction Fuzzy Hash: C211F5B58003489FDB50CF99D888BEFBBF8EB58324F508459E515A7300C374A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 029E98A8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 029E990E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.832420763.00000000029E0000.00000040.00000001.sdmp, Offset: 029E0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 499b66006c1254893d01b3f06c9d69b6a6339af0e1b026d9d1a8234364130698
                                                                                          • Instruction ID: 2aae5750ddb4e5224b9dd668b4c78281a4edcf1d68966dfc180207a350a525ff
                                                                                          • Opcode Fuzzy Hash: 499b66006c1254893d01b3f06c9d69b6a6339af0e1b026d9d1a8234364130698
                                                                                          • Instruction Fuzzy Hash: B011DFB5D003498FDB10CF9AD444BDEFBF8EB88228F14852AD829B7600C379A545CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06DF5529, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06DF558D
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.859125129.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: c32215177bfbc3ff31721a4be09425349f5598b0ca36c6d0e4e9b40f517d6333
                                                                                          • Instruction ID: 65d53bb16c2cfa77df1f4fba0f7c8bbe683369c11a79b2b77c76e7cae736e60d
                                                                                          • Opcode Fuzzy Hash: c32215177bfbc3ff31721a4be09425349f5598b0ca36c6d0e4e9b40f517d6333
                                                                                          • Instruction Fuzzy Hash: 6911C2B58003499FDB50DF99D885BDEBBF8FB58324F148419E555A7300C375A584CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00C9D4C4, Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.831161709.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 247e11999e32e46dda6bcbd24e47e498df66a9c91c203ca46176cfaa7a420845
                                                                                          • Instruction ID: 7b0674ef1b00b89f8c3a8d2659db8b7e6574a4cde36c5ae7525f0667700b6c98
                                                                                          • Opcode Fuzzy Hash: 247e11999e32e46dda6bcbd24e47e498df66a9c91c203ca46176cfaa7a420845
                                                                                          • Instruction Fuzzy Hash: DF2137B1504240DFCF11DF14D9C8F26BF65FB88328F25C5A9E9066B206C336E956CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00CAD01C, Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.831320885.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 927dd81a670f1c508a3f47b61a0b5aebfc060b21d205380a48befef026b1e6a4
                                                                                          • Instruction ID: 5b642e37ac745d21658e9e429c78a0e52b1ae8d22223f63dc18af449ffda61ce
                                                                                          • Opcode Fuzzy Hash: 927dd81a670f1c508a3f47b61a0b5aebfc060b21d205380a48befef026b1e6a4
                                                                                          • Instruction Fuzzy Hash: 2A2104B5604241DFCB14CF20D9C4B26BBA5FB89318F24C5ADE94B4B646C37AD847CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00CAD005, Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.831320885.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e307c9a94a29f0d197a6a4973691eca7e52e993d6511da950bfa2415f4146793
                                                                                          • Instruction ID: aed1da046892506534c6da756af2bd39f0edd7c9140b407947d131041759ea2c
                                                                                          • Opcode Fuzzy Hash: e307c9a94a29f0d197a6a4973691eca7e52e993d6511da950bfa2415f4146793
                                                                                          • Instruction Fuzzy Hash: 0B2162755093C08FCB12CF24D994715BF71EB46314F28C5EAD84A8F6A7C33A994ACB62
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00C9D4BF, Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.831161709.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9cc53be5d9528aaeef22020894d931544b42b1ff85c6ad9c97e4528ce409d3a2
                                                                                          • Instruction ID: a7c30406cbf5086d4885d28bafe89f6b324e94ae8dfb6d3420b79b38a684c40a
                                                                                          • Opcode Fuzzy Hash: 9cc53be5d9528aaeef22020894d931544b42b1ff85c6ad9c97e4528ce409d3a2
                                                                                          • Instruction Fuzzy Hash: C81108B6504280CFCF12CF10D5C4B16BF72FB88324F24C6A9D8455B616C33AD956CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions

                                                                                          Analysis Process: dhcpmon.exe PID: 6096 Parent PID: 968 dhcpmon.exeCOMMON

                                                                                          Executed Functions

                                                                                          Function 0188B9A1, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0188BA10
                                                                                          • GetCurrentThread.KERNEL32 ref: 0188BA4D
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0188BA8A
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0188BAE3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.842717811.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID: +nE
                                                                                          • API String ID: 2063062207-57853153
                                                                                          • Opcode ID: 3d0dd4e82f2107f23e0411ce54a96b4943bae4a8fe6b93f11312ede7dd304fe3
                                                                                          • Instruction ID: 225142d80697a02d0c8ddf79f08d3f37b4e902ae0128f22cb878f528df5ab627
                                                                                          • Opcode Fuzzy Hash: 3d0dd4e82f2107f23e0411ce54a96b4943bae4a8fe6b93f11312ede7dd304fe3
                                                                                          • Instruction Fuzzy Hash: 265173B49012498FDB54DFA9D988BDEFBF4FF89304F208459E019A7260D774AA48CF61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0188B9B0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0188BA10
                                                                                          • GetCurrentThread.KERNEL32 ref: 0188BA4D
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0188BA8A
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0188BAE3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.842717811.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID: +nE
                                                                                          • API String ID: 2063062207-57853153
                                                                                          • Opcode ID: f5e79cec8191eddc9d53b97f497d770149e19155114ccd349a9bd8f8fead8994
                                                                                          • Instruction ID: 99801659cf6559e0c0c1ccd3760e35d0fbd273ee68c7d0badc44a4c5266b9d29
                                                                                          • Opcode Fuzzy Hash: f5e79cec8191eddc9d53b97f497d770149e19155114ccd349a9bd8f8fead8994
                                                                                          • Instruction Fuzzy Hash: 805152B49012098FDB54DFA9D588BDEFBF4FF88304F208459E519A7250D774AA48CF61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892DFE, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0789303E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID: +nE$+nE
                                                                                          • API String ID: 963392458-2854701811
                                                                                          • Opcode ID: f7d24030ab7c01e98b2f53e25db3c44dcbb2e448788bc8ed8697145709c09659
                                                                                          • Instruction ID: 4db04c5a6a020a102b8958f07b8a80bfbea71f740d3ec11fcd753d7179974ba1
                                                                                          • Opcode Fuzzy Hash: f7d24030ab7c01e98b2f53e25db3c44dcbb2e448788bc8ed8697145709c09659
                                                                                          • Instruction Fuzzy Hash: 22915AB1D00219DFDF20CFA8C8817EDBBB2BB58314F088569E859E7640DB749985CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892E08, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0789303E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID: +nE$+nE
                                                                                          • API String ID: 963392458-2854701811
                                                                                          • Opcode ID: 30ecab8ebf96300b6554ae4fef939826fdb31c79e7b8b8528d878c5af1a964b5
                                                                                          • Instruction ID: 1862500e410edb86b653054cd5b1036466398987e0ceeab7065e7d8628a93c14
                                                                                          • Opcode Fuzzy Hash: 30ecab8ebf96300b6554ae4fef939826fdb31c79e7b8b8528d878c5af1a964b5
                                                                                          • Instruction Fuzzy Hash: 80914BB1D00219DFDF20CFA8C8817EEBBB2BB58314F098569E859E7250DB749985CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07894AC4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(00000000), ref: 07894C1C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: NameUser
                                                                                          • String ID: +nE$+nE
                                                                                          • API String ID: 2645101109-2854701811
                                                                                          • Opcode ID: 781bb7fa47c89dbf6b80be86f71190dd2e888e6526e8e823aa75928f37cad958
                                                                                          • Instruction ID: 5331a142d420c41dfd6f0add6fbd88f345d1273ae0aeb76bb1a072f48cb3c154
                                                                                          • Opcode Fuzzy Hash: 781bb7fa47c89dbf6b80be86f71190dd2e888e6526e8e823aa75928f37cad958
                                                                                          • Instruction Fuzzy Hash: AD6146B0D00258DFDB14CFA9C484BDEBBF5EF58318F148029D819AB390D774A945CB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07894AD0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(00000000), ref: 07894C1C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: NameUser
                                                                                          • String ID: +nE$+nE
                                                                                          • API String ID: 2645101109-2854701811
                                                                                          • Opcode ID: dc9d95c19de310eed473d841c4269acc45b7c8a752f62280b073f55f070c3a21
                                                                                          • Instruction ID: af50879364575109d2e73ee424b210350c45a8a14592745c1086142236d190c5
                                                                                          • Opcode Fuzzy Hash: dc9d95c19de310eed473d841c4269acc45b7c8a752f62280b073f55f070c3a21
                                                                                          • Instruction Fuzzy Hash: 0B5136B0D002598FDB14CFA9C484BDEBBF5BF58318F188029D81AAB394D774A945CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892BCA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07892C50
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID: +nE$U
                                                                                          • API String ID: 1726664587-1885114708
                                                                                          • Opcode ID: c09c026df20c064ef7b537c2a456cdad78bc2741ab10b0eafafbdb44b42baef7
                                                                                          • Instruction ID: c38504bf7064e68c0bbfd6473eaf20cad209f6981e2db011c31c0acb1979232a
                                                                                          • Opcode Fuzzy Hash: c09c026df20c064ef7b537c2a456cdad78bc2741ab10b0eafafbdb44b42baef7
                                                                                          • Instruction Fuzzy Hash: E62136B18002599FCF10CFA9C884BEEBBF4FF48324F14842AE958A7640C7789944CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 018896C8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0188990E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.842717811.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID: +nE
                                                                                          • API String ID: 4139908857-57853153
                                                                                          • Opcode ID: 32a6f21aabb1022d1e139d94de2b503347086f3cf07482b66bc224a1d59d1403
                                                                                          • Instruction ID: 3cbd72dda285a015c24110ce321963e2a2b2df2284f63a587083493cdb573a15
                                                                                          • Opcode Fuzzy Hash: 32a6f21aabb1022d1e139d94de2b503347086f3cf07482b66bc224a1d59d1403
                                                                                          • Instruction Fuzzy Hash: 57712470A00B058FD764EF69D48076ABBF1FF89318F008A2AD58ADBA50D774E945CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01885635, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 018856F1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.842717811.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID: +nE
                                                                                          • API String ID: 2289755597-57853153
                                                                                          • Opcode ID: c846856827411dc75c06af8059dc21d49b67f0bb00ee1024dd4c14f2ce0b77e7
                                                                                          • Instruction ID: d71f75713affde6bd9e043106f188770d2c38427768b8f9489736f10904f23b0
                                                                                          • Opcode Fuzzy Hash: c846856827411dc75c06af8059dc21d49b67f0bb00ee1024dd4c14f2ce0b77e7
                                                                                          • Instruction Fuzzy Hash: 2041E270C00728CEDB24EFA9C884BDEBBF1BF49304F148069D509AB255D7B5694ACF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01884170, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 018856F1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.842717811.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID: +nE
                                                                                          • API String ID: 2289755597-57853153
                                                                                          • Opcode ID: dc45c4ef7d2e4a7eecd170a0caa2849289921899f30296b6feb4c3aac07cc70c
                                                                                          • Instruction ID: 5e6cc29682010a272aecb6f0f422b101a4a269ee20ad0b77fcdc2fbe256073db
                                                                                          • Opcode Fuzzy Hash: dc45c4ef7d2e4a7eecd170a0caa2849289921899f30296b6feb4c3aac07cc70c
                                                                                          • Instruction Fuzzy Hash: 1541CF70C0461CCEDB24EFA9C884B9EBBB5BF49308F108069D519AB251D7B5694ACF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0188815A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSystemMetrics.USER32(0000004B), ref: 0188823D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.842717811.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MetricsSystem
                                                                                          • String ID: +nE
                                                                                          • API String ID: 4116985748-57853153
                                                                                          • Opcode ID: 6840259e27b0062dfe1bae6c6ec409575c36844bd881a338036ab22ffe9fa8fa
                                                                                          • Instruction ID: b63527b7f4bcf181788a2cb1396b68bb48730604167cd9199d06f3d2e209283f
                                                                                          • Opcode Fuzzy Hash: 6840259e27b0062dfe1bae6c6ec409575c36844bd881a338036ab22ffe9fa8fa
                                                                                          • Instruction Fuzzy Hash: 6731E938504B84CFDB21DF69E4443FA7FF8BB0A314F08849AC585E7246C7789A45DB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892AD8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72injectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07892B70
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID: +nE
                                                                                          • API String ID: 3559483778-57853153
                                                                                          • Opcode ID: 9cd4465751048077e3954785bd1739f596ddf94105f17af6500b9e3152d1a339
                                                                                          • Instruction ID: f5157376a39b903e0aba6682888b9fe579d617e1623d5c115b77e70ad855df89
                                                                                          • Opcode Fuzzy Hash: 9cd4465751048077e3954785bd1739f596ddf94105f17af6500b9e3152d1a339
                                                                                          • Instruction Fuzzy Hash: F32126B5900249DFCF10CFA9C884BEEBBF4FB48314F04842AE919A7240C778A954CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892942, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70threadinjectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 078929C6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID: +nE
                                                                                          • API String ID: 1591575202-57853153
                                                                                          • Opcode ID: 80660e8e5a0203f5e37bd80c0404b5131e287814b6b78fa5933e5f8fb6810817
                                                                                          • Instruction ID: 04783cf9efaca6f30b5c8446079f4872ba49721151b39df0ec0b55542e9918fc
                                                                                          • Opcode Fuzzy Hash: 80660e8e5a0203f5e37bd80c0404b5131e287814b6b78fa5933e5f8fb6810817
                                                                                          • Instruction Fuzzy Hash: 4D2139B19043099FCB10DFA9C484BEEBBF4FB98264F14842AD559A7640CB78A945CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 078DB680, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CopyFileW.KERNELBASE(?,00000000,?), ref: 078DB719
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870628313.00000000078D0000.00000040.00000001.sdmp, Offset: 078D0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CopyFile
                                                                                          • String ID: +nE
                                                                                          • API String ID: 1304948518-57853153
                                                                                          • Opcode ID: 0b87217f6c9939614fea5c1e00d30b536b9407cf96fc0ab582277d00425c9030
                                                                                          • Instruction ID: 2bf9a616c63c8bdefb1ef73e137beea844742fd83caa8eed00dbd601fc93e749
                                                                                          • Opcode Fuzzy Hash: 0b87217f6c9939614fea5c1e00d30b536b9407cf96fc0ab582277d00425c9030
                                                                                          • Instruction Fuzzy Hash: EA212AB1D012199FCB50CF9AD484BEEFBF4EF48320F15816AE818E7245D7749A44CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892AE0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07892B70
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID: +nE
                                                                                          • API String ID: 3559483778-57853153
                                                                                          • Opcode ID: f243e095b408386e495f26360798b2d85741bca13eb0cc2cd9ccbb71e2757ae6
                                                                                          • Instruction ID: af0ea0cdf2b3406dab3aeaa0c2448d8650e5fc094c88e7eb9dd04bf4f3c74e1d
                                                                                          • Opcode Fuzzy Hash: f243e095b408386e495f26360798b2d85741bca13eb0cc2cd9ccbb71e2757ae6
                                                                                          • Instruction Fuzzy Hash: 442124B19003599FCF10CFA9C884BEEBBF5FF48354F04842AE959A7240C778A944CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0188BBD2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0188BC5F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.842717811.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID: +nE
                                                                                          • API String ID: 3793708945-57853153
                                                                                          • Opcode ID: 3e5a4a62d7927543f5323a540cae71b056216bc6572b1441c97479ec27728834
                                                                                          • Instruction ID: 26291fd9ba885d7693c5c55ded45e88d5b39c5b87f8b15ea2541ebcd79318e5b
                                                                                          • Opcode Fuzzy Hash: 3e5a4a62d7927543f5323a540cae71b056216bc6572b1441c97479ec27728834
                                                                                          • Instruction Fuzzy Hash: 0C21E5B5900258EFDB10CFA9D484ADEBBF4FB49314F14841AE954A7210D374A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892BD0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07892C50
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID: +nE
                                                                                          • API String ID: 1726664587-57853153
                                                                                          • Opcode ID: 52f6752230a5dc154ca07307f38840f07e0ac49234e29338f696a22c79f98f0c
                                                                                          • Instruction ID: 96c385ea745af85b7146dcd3c48515f5369fcbb69fa9ad183a22a77e379e8909
                                                                                          • Opcode Fuzzy Hash: 52f6752230a5dc154ca07307f38840f07e0ac49234e29338f696a22c79f98f0c
                                                                                          • Instruction Fuzzy Hash: 352116B18002599FCF10DFA9C884BEEBBF5FF48324F558429E559A7240C778A944CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892948, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadinjectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 078929C6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID: +nE
                                                                                          • API String ID: 1591575202-57853153
                                                                                          • Opcode ID: f8cb255af1fb9de62f51d4783f7804445c68122a56ba317bbfabc3ce44c7250d
                                                                                          • Instruction ID: 3dfa4a4761d9d142972604bba1f18a16bd6f31aae38e9d1586d57e2fd414c78a
                                                                                          • Opcode Fuzzy Hash: f8cb255af1fb9de62f51d4783f7804445c68122a56ba317bbfabc3ce44c7250d
                                                                                          • Instruction Fuzzy Hash: 262138B1D003099FCB10DFAAC484BEEBBF4FF88254F54842AD559A7240CB78A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0188BBD8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0188BC5F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.842717811.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID: +nE
                                                                                          • API String ID: 3793708945-57853153
                                                                                          • Opcode ID: 4b3468ac4dc181a44471d531f4f3aaff0be9c1f52c33580fee6a1f6872c58a13
                                                                                          • Instruction ID: d236b82b2b3c97e613e8de658fe93608e2e8e5b00a92914dfc541dd63585ed58
                                                                                          • Opcode Fuzzy Hash: 4b3468ac4dc181a44471d531f4f3aaff0be9c1f52c33580fee6a1f6872c58a13
                                                                                          • Instruction Fuzzy Hash: 9321D5B5901249DFDB10CFA9D584ADEBBF9FB48324F14841AE915A7310D374A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892A1A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07892A8E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID: +nE
                                                                                          • API String ID: 4275171209-57853153
                                                                                          • Opcode ID: b0ee32429387766c4ac10091095a2aec3e5038db63954c551165b25ed752af33
                                                                                          • Instruction ID: 35e7e5a984379bed0a85c08bc43d7c8e40837adc588bf39441b772730f4c8e4f
                                                                                          • Opcode Fuzzy Hash: b0ee32429387766c4ac10091095a2aec3e5038db63954c551165b25ed752af33
                                                                                          • Instruction Fuzzy Hash: 562197B28002099FCF20CFAAC844BEFBBF5FF48324F04842AE515A7210C774A944CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01888A10, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01889989,00000800,00000000,00000000), ref: 01889B9A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.842717811.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID: +nE
                                                                                          • API String ID: 1029625771-57853153
                                                                                          • Opcode ID: cd30aa11607866c402542d23f81db841a33eeefc11c7c20aab2541b40ead02ab
                                                                                          • Instruction ID: 87c13bb889966fb6375f55d264ab8f4314530d6b39a189ee2d86430e9adc5868
                                                                                          • Opcode Fuzzy Hash: cd30aa11607866c402542d23f81db841a33eeefc11c7c20aab2541b40ead02ab
                                                                                          • Instruction Fuzzy Hash: 981106B6D002199FDB10DF9AC484BEEFBF4EB88314F44842AD515B7200C3B4A945CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01889B28, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01889989,00000800,00000000,00000000), ref: 01889B9A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.842717811.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID: +nE
                                                                                          • API String ID: 1029625771-57853153
                                                                                          • Opcode ID: f4ec1fe26d81c1775ec0ae069bd526537ea807bbd99d0d5e850d15eb9c39e4c3
                                                                                          • Instruction ID: f33a2cd88aabb11fd325454fc1fc038d02be5943a051aee82e7f6e8658bc5bc1
                                                                                          • Opcode Fuzzy Hash: f4ec1fe26d81c1775ec0ae069bd526537ea807bbd99d0d5e850d15eb9c39e4c3
                                                                                          • Instruction Fuzzy Hash: C31114B6C002599FDB10DF9AC484BDEFBF4EB89314F04852AD515A7200C374A945CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892A20, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07892A8E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID: +nE
                                                                                          • API String ID: 4275171209-57853153
                                                                                          • Opcode ID: 6c6ccfd2ecdc3ff46621e319adb66d5b4f6192d5c6c9b1459ed740c9258c5581
                                                                                          • Instruction ID: 7f3b8422da90d8a422d3eeb8d886ce89ace35a60b3bb906c804d47795920ffe5
                                                                                          • Opcode Fuzzy Hash: 6c6ccfd2ecdc3ff46621e319adb66d5b4f6192d5c6c9b1459ed740c9258c5581
                                                                                          • Instruction Fuzzy Hash: 7F1112B69002499BCF10DFAAC844BEEBBF5EF88364F148829E515A7250C775A944CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892896, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID: +nE
                                                                                          • API String ID: 947044025-57853153
                                                                                          • Opcode ID: 21c60084d80679a3e4c1eb24dc76dd3956801ab3afe64289b50a31e85de09550
                                                                                          • Instruction ID: a0afe37d5ef83ff12892f927926722a235d111a16a310902ff78caf3abe4c66e
                                                                                          • Opcode Fuzzy Hash: 21c60084d80679a3e4c1eb24dc76dd3956801ab3afe64289b50a31e85de09550
                                                                                          • Instruction Fuzzy Hash: 691128B1D043498BCB10DFAAD4447EEFBF4EB88224F15842AD515A7640CB75A944CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892898, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID: +nE
                                                                                          • API String ID: 947044025-57853153
                                                                                          • Opcode ID: 93d689848763a13039119bdd7e71b2d9ccf4e47c9430ad0c4c578b638573a4ed
                                                                                          • Instruction ID: 58e259dd0dd3d4a22f294bf49fb36ff697b100dfa0ebfa6d37d4fd427b380c46
                                                                                          • Opcode Fuzzy Hash: 93d689848763a13039119bdd7e71b2d9ccf4e47c9430ad0c4c578b638573a4ed
                                                                                          • Instruction Fuzzy Hash: 701136B1D043498BCB10DFAAC4447EFFBF8EB88324F158829C519A7240C779A944CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 018898A8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0188990E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.842717811.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID: +nE
                                                                                          • API String ID: 4139908857-57853153
                                                                                          • Opcode ID: 94818933cea9b8d33c641ce88f265c35228db53dab11f3e8a3404bfb1caa26ce
                                                                                          • Instruction ID: e3d787dc5ba827e770114c556c024cbf724d322685d360ed37c4235abc0e1aec
                                                                                          • Opcode Fuzzy Hash: 94818933cea9b8d33c641ce88f265c35228db53dab11f3e8a3404bfb1caa26ce
                                                                                          • Instruction Fuzzy Hash: 3A1113B5C002498FDB10DF9AC444BDEFBF4EF88328F14841AD529A7200D378A645CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07895529, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0789558D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID: +nE
                                                                                          • API String ID: 410705778-57853153
                                                                                          • Opcode ID: 69c8086e14f8eec033ee47f72bc4a6d11262a3986a89dfbb99fc1bf28f2c6f2d
                                                                                          • Instruction ID: 4cdb67e78e97c785845999e111ed3a8b120a68d530690b59f3c4cc61b5e437eb
                                                                                          • Opcode Fuzzy Hash: 69c8086e14f8eec033ee47f72bc4a6d11262a3986a89dfbb99fc1bf28f2c6f2d
                                                                                          • Instruction Fuzzy Hash: 4C1103B5800349AFDB10CF99D884BEFBBF8EB48324F14841AE515A7600C375A984CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07893368, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0789558D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID: +nE
                                                                                          • API String ID: 410705778-57853153
                                                                                          • Opcode ID: 2ab2a3cb7471d5a256a1514ef60a9ce56ff42c8de2acf776c6cce3e9667d4e12
                                                                                          • Instruction ID: bf8a12c54f75bc5c7617468ed406f926bd5e9694d0f1c20c9f2733d2190e2c16
                                                                                          • Opcode Fuzzy Hash: 2ab2a3cb7471d5a256a1514ef60a9ce56ff42c8de2acf776c6cce3e9667d4e12
                                                                                          • Instruction Fuzzy Hash: 501103B5800349DFDB10DF99D488BDEBBF8FB58324F148419E955A7240D3B4AA54CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07892862, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.870577234.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: f3e748fbb93bed54e1cd313dfeeb71c660cc8abb8ed81dd88c9ed27244f5a8ae
                                                                                          • Instruction ID: 0dee46b60d9fcfc67b979d47425c34dccde8af84d4c7c17f941da108646887f3
                                                                                          • Opcode Fuzzy Hash: f3e748fbb93bed54e1cd313dfeeb71c660cc8abb8ed81dd88c9ed27244f5a8ae
                                                                                          • Instruction Fuzzy Hash: 3701ADB1A043458FCB04CBA9D8547EEFBF1AF84218F15C46AD519EB251CB7AA905CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions