Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 7iatifHQEp.exe

Overview

General Information

Sample Name:7iatifHQEp.exe
Analysis ID:319522
MD5:2ab285ba8f3215a095fc99c969a375c0
SHA1:4b8d19b22ed5562a7677dc7f5e5fe5a7167549f5
SHA256:bc36fa2314f4e45645af22ca75887b7b627de4a65bfd1d274f18e7fc1975c8e4
Tags:exeNanoCorenVpnRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 7iatifHQEp.exe (PID: 6388 cmdline: 'C:\Users\user\Desktop\7iatifHQEp.exe' MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • 7iatifHQEp.exe (PID: 4652 cmdline: C:\Users\user\Desktop\7iatifHQEp.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
      • schtasks.exe (PID: 4780 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 3416 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 7iatifHQEp.exe (PID: 5624 cmdline: C:\Users\user\Desktop\7iatifHQEp.exe 0 MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • 7iatifHQEp.exe (PID: 5932 cmdline: C:\Users\user\Desktop\7iatifHQEp.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
  • dhcpmon.exe (PID: 6096 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • dhcpmon.exe (PID: 4804 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
  • vlc.exe (PID: 5728 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • vlc.exe (PID: 684 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • vlc.exe (PID: 3792 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
  • dhcpmon.exe (PID: 6848 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • dhcpmon.exe (PID: 6988 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • dhcpmon.exe (PID: 6576 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
  • vlc.exe (PID: 4640 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 2AB285BA8F3215A095FC99C969A375C0)
    • vlc.exe (PID: 1500 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 2AB285BA8F3215A095FC99C969A375C0)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b0b:$x1: NanoCore.ClientPluginHost
  • 0x5b44:$x2: IClientNetworkHost
00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b0b:$x2: NanoCore.ClientPluginHost
  • 0x5c0f:$s4: PipeCreated
  • 0x5b25:$s5: IClientLoggingHost
00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x435cd:$a: NanoCore
    • 0x43626:$a: NanoCore
    • 0x43663:$a: NanoCore
    • 0x436dc:$a: NanoCore
    • 0x56d87:$a: NanoCore
    • 0x56d9c:$a: NanoCore
    • 0x56dd1:$a: NanoCore
    • 0x6fd73:$a: NanoCore
    • 0x6fd88:$a: NanoCore
    • 0x6fdbd:$a: NanoCore
    • 0x4362f:$b: ClientPlugin
    • 0x4366c:$b: ClientPlugin
    • 0x43f6a:$b: ClientPlugin
    • 0x43f77:$b: ClientPlugin
    • 0x56b43:$b: ClientPlugin
    • 0x56b5e:$b: ClientPlugin
    • 0x56b8e:$b: ClientPlugin
    • 0x56da5:$b: ClientPlugin
    • 0x56dda:$b: ClientPlugin
    • 0x6fb2f:$b: ClientPlugin
    • 0x6fb4a:$b: ClientPlugin
    0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 121 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.7iatifHQEp.exe.7100000.11.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x13a8:$x1: NanoCore.ClientPluginHost
      8.2.7iatifHQEp.exe.7100000.11.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x13a8:$x2: NanoCore.ClientPluginHost
      • 0x1486:$s4: PipeCreated
      • 0x13c2:$s5: IClientLoggingHost
      8.2.7iatifHQEp.exe.7160000.16.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x350b:$x1: NanoCore.ClientPluginHost
      • 0x3525:$x2: IClientNetworkHost
      8.2.7iatifHQEp.exe.7160000.16.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x350b:$x2: NanoCore.ClientPluginHost
      • 0x52b6:$s4: PipeCreated
      • 0x34f8:$s5: IClientLoggingHost
      8.2.7iatifHQEp.exe.7120000.13.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x59eb:$x1: NanoCore.ClientPluginHost
      • 0x5b48:$x2: IClientNetworkHost
      Click to see the 71 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\7iatifHQEp.exe, ProcessId: 4652, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\7iatifHQEp.exe, ParentImage: C:\Users\user\Desktop\7iatifHQEp.exe, ParentProcessId: 4652, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp', ProcessId: 4780

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: dhcpmon.exe.6576.29.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Source: dhcpmon.exe.6576.29.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: atacoinc8897.hopto.orgVirustotal: Detection: 6%Perma Link
      Source: atacoinc8897.hopto.orgVirustotal: Detection: 6%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 14%
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 14%
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 14%
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 14%
      Multi AV Scanner detection for submitted fileShow sources
      Source: 7iatifHQEp.exeVirustotal: Detection: 22%Perma Link
      Source: 7iatifHQEp.exeReversingLabs: Detection: 14%
      Source: 7iatifHQEp.exeVirustotal: Detection: 22%Perma Link
      Source: 7iatifHQEp.exeReversingLabs: Detection: 14%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1500, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 3792, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 4640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5728, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORY
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: 7iatifHQEp.exeJoe Sandbox ML: detected
      Source: 7iatifHQEp.exeJoe Sandbox ML: detected
      Source: 8.2.7iatifHQEp.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 27.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 26.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 23.2.7iatifHQEp.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 29.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 31.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 8.2.7iatifHQEp.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 27.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 26.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 23.2.7iatifHQEp.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 29.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 31.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49740 -> 185.140.53.132:2008
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49740 -> 185.140.53.132:2008
      Source: global trafficTCP traffic: 192.168.2.4:49740 -> 185.140.53.132:2008
      Source: global trafficTCP traffic: 192.168.2.4:49740 -> 185.140.53.132:2008
      Source: Joe Sandbox ViewIP Address: 185.140.53.132 185.140.53.132
      Source: Joe Sandbox ViewIP Address: 185.140.53.132 185.140.53.132
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: unknownDNS traffic detected: queries for: atacoinc8897.hopto.org
      Source: unknownDNS traffic detected: queries for: atacoinc8897.hopto.org
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: 7iatifHQEp.exe, 00000000.00000003.664122612.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: 7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com=
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comJ
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comitk
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw.c3-x
      Source: 7iatifHQEp.exe, 00000000.00000003.665230209.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.co
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: 7iatifHQEp.exe, 00000000.00000003.665186452.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: 7iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: 7iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx2
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: 7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html~
      Source: 7iatifHQEp.exe, 00000000.00000003.665162800.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/~
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: 7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersE&
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: 7iatifHQEp.exe, 00000000.00000003.666170417.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersH&
      Source: 7iatifHQEp.exe, 00000000.00000003.665404943.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
      Source: 7iatifHQEp.exe, 00000000.00000003.666404104.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersV
      Source: 7iatifHQEp.exe, 00000000.00000003.665207459.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
      Source: 7iatifHQEp.exe, 00000000.00000003.665427572.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomaD
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtx
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn5
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnJ
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: 7iatifHQEp.exe, 00000000.00000003.669355371.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmn-ustr
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-d
      Source: 7iatifHQEp.exe, 00000000.00000003.663531498.0000000005D64000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-da
      Source: 7iatifHQEp.exe, 00000000.00000003.663884592.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/w
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tion
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: 7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: 7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665022443.0000000005D8E000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.666770593.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
      Source: 7iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de2
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: 7iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deo4(
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: 7iatifHQEp.exe, 00000000.00000003.664122612.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: 7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com=
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comJ
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comitk
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: 7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw.c3-x
      Source: 7iatifHQEp.exe, 00000000.00000003.665230209.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.co
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: 7iatifHQEp.exe, 00000000.00000003.665186452.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: 7iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: 7iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx2
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: 7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html~
      Source: 7iatifHQEp.exe, 00000000.00000003.665162800.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/~
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: 7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersE&
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: 7iatifHQEp.exe, 00000000.00000003.666170417.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersH&
      Source: 7iatifHQEp.exe, 00000000.00000003.665404943.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
      Source: 7iatifHQEp.exe, 00000000.00000003.666404104.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersV
      Source: 7iatifHQEp.exe, 00000000.00000003.665207459.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
      Source: 7iatifHQEp.exe, 00000000.00000003.665427572.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomaD
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
      Source: 7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtx
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn5
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnJ
      Source: 7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: 7iatifHQEp.exe, 00000000.00000003.669355371.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmn-ustr
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-d
      Source: 7iatifHQEp.exe, 00000000.00000003.663531498.0000000005D64000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-da
      Source: 7iatifHQEp.exe, 00000000.00000003.663884592.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
      Source: 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/w
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tion
      Source: 7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: 7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: 7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665022443.0000000005D8E000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.666770593.0000000005D90000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
      Source: 7iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de2
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: 7iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deo4(
      Source: 7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: vlc.exe, 0000000F.00000002.839932695.0000000000D9B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: vlc.exe, 0000000F.00000002.839932695.0000000000D9B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1500, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 3792, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 4640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5728, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORY
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.930001764.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.930001764.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6C284
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6E898
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6E888
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07796750
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07790007
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07B6C270
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07B6BBF8
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6C284
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6E898
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6E888
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07796750
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07790007
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07B6C270
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07B6BBF8
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_066D0040
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_066D0820
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_066C02B0
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_0120E473
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_0120E480
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_0120BBD4
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_0526F5F8
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_05269788
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_0526A610
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_029EC284
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_029EE898
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_029EE888
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_0557EC10
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_05574668
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_0557EC00
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_05573EB8
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_06DF6750
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_06DF0007
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_06E3C270
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_06E3BBF8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0188F890
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0188C284
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0188E888
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0188E898
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07896750
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07890007
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_078DC270
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_078DBBF8
      Source: 7iatifHQEp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 7iatifHQEp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 7iatifHQEp.exe, 00000000.00000002.754390049.00000000075D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXglbdu.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.754716243.0000000007699000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.755775985.0000000007930000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.745556023.0000000003126000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exeBinary or memory string: OriginalFilename vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000003.759569087.0000000001025000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000000.741751073.00000000009D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.934385775.0000000006250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.933519881.00000000052B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.836252141.0000000002D56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.831716536.0000000000E88000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.829465620.00000000006E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.857957252.0000000006A80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXglbdu.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.859613860.0000000006F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.846068693.0000000000682000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exeBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.754390049.00000000075D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXglbdu.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.754716243.0000000007699000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.755775985.0000000007930000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000000.00000002.745556023.0000000003126000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exeBinary or memory string: OriginalFilename vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000003.759569087.0000000001025000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000000.741751073.00000000009D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.934385775.0000000006250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.933519881.00000000052B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.836252141.0000000002D56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.831716536.0000000000E88000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.829465620.00000000006E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.857957252.0000000006A80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXglbdu.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 0000000D.00000002.859613860.0000000006F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exe, 00000017.00000002.846068693.0000000000682000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 7iatifHQEp.exeBinary or memory string: OriginalFilenamePOP.exe, vs 7iatifHQEp.exe
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.930001764.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.930001764.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 1500, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 3792, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 4640, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: vlc.exe PID: 5728, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7100000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7160000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7120000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.71b0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7110000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7140000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7110000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7130000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7170000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.71b0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7120000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.5360000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.70f0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7130000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7170000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.66c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7140000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.7iatifHQEp.exe.7160000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 7iatifHQEp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: vlc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 7iatifHQEp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: vlc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 7iatifHQEp.exe, 00000000.00000003.663822608.0000000005D8E000.00000004.00000001.sdmpBinary or memory string: 2017 JIYUKOBO Ltd. All Rights Reserved.slnt
      Source: 7iatifHQEp.exe, 00000000.00000003.663822608.0000000005D8E000.00000004.00000001.sdmpBinary or memory string: 2017 JIYUKOBO Ltd. All Rights Reserved.slnt
      Source: classification engineClassification label: mal100.troj.evad.winEXE@28/14@1/1
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{950dc9c6-d071-4b80-ab32-4e46986f440d}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3400:120:WilError_01
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{950dc9c6-d071-4b80-ab32-4e46986f440d}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3400:120:WilError_01
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Local\Temp\tmp52.tmpJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Local\Temp\tmp52.tmpJump to behavior
      Source: 7iatifHQEp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 7iatifHQEp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: 7iatifHQEp.exeVirustotal: Detection: 22%
      Source: 7iatifHQEp.exeReversingLabs: Detection: 14%
      Source: 7iatifHQEp.exeVirustotal: Detection: 22%
      Source: 7iatifHQEp.exeReversingLabs: Detection: 14%
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile read: C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile read: C:\Users\user\Desktop\7iatifHQEp.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe 'C:\Users\user\Desktop\7iatifHQEp.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe 'C:\Users\user\Desktop\7iatifHQEp.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: 7iatifHQEp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 7iatifHQEp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 7iatifHQEp.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: 7iatifHQEp.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 7iatifHQEp.exe, 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 7iatifHQEp.exe, 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6D6F3 push 0000005Dh; retn 0004h
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6FEC3 pushfd ; iretd
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6D6F3 push 0000005Dh; retn 0004h
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_02D6FEC3 pushfd ; iretd
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_052669FA push esp; retf
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 8_2_052669F8 pushad ; retf
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 13_2_0557A44C push E804FA6Bh; retf
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0188FEC2 pushfd ; iretd
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93849654903
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 8.2.7iatifHQEp.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to dropped file
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to dropped file
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
      Source: C:\Users\user\Desktop\7iatifHQEp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile opened: C:\Users\user\Desktop\7iatifHQEp.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\7iatifHQEp.exeFile opened: C:\Users\user\Desktop\7iatifHQEp.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: 7iatifHQEp.exe, 00000000.00000002.754390049.00000000075D0000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.857957252.0000000006A80000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.865535286.0000000006AA0000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.883348560.0000000006620000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEAD
      Source: 7iatifHQEp.exe, 00000000.00000002.754390049.00000000075D0000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.857957252.0000000006A80000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.865535286.0000000006AA0000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.883348560.0000000006620000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEAD
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: threadDelayed 6722
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: threadDelayed 2445
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: foregroundWindowGot 411
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: foregroundWindowGot 474
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: threadDelayed 6722
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: threadDelayed 2445
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: foregroundWindowGot 411
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWindow / User API: foregroundWindowGot 474
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 1492Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 4604Thread sleep time: -9223372036854770s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 768Thread sleep time: -40000s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 5660Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2204Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 5956Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5812Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 7108Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 4684Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6296Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 2936Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6112Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6712Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 1492Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 4604Thread sleep time: -9223372036854770s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 768Thread sleep time: -40000s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 5660Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2204Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 5956Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5812Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 7108Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\7iatifHQEp.exe TID: 4684Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6296Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 2936Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6112Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6712Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
      Source: vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: 7iatifHQEp.exe, 00000008.00000002.925178554.0000000000FF5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: 7iatifHQEp.exe, 00000008.00000002.925178554.0000000000FF5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: Debug
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess token adjusted: Debug
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory written: C:\Users\user\Desktop\7iatifHQEp.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory written: C:\Users\user\Desktop\7iatifHQEp.exe base: 400000 value starts with: 4D5A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory written: C:\Users\user\Desktop\7iatifHQEp.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\7iatifHQEp.exeMemory written: C:\Users\user\Desktop\7iatifHQEp.exe base: 400000 value starts with: 4D5A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'
      Source: C:\Users\user\Desktop\7iatifHQEp.exeProcess created: C:\Users\user\Desktop\7iatifHQEp.exe C:\Users\user\Desktop\7iatifHQEp.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: 7iatifHQEp.exe, 00000008.00000002.934356236.000000000624A000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: Program ManagerHaRk
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: 7iatifHQEp.exe, 00000008.00000002.935280208.0000000006CDE000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: 7iatifHQEp.exe, 00000008.00000002.927503705.0000000002E79000.00000004.00000001.sdmpBinary or memory string: Program Managerp
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: 7iatifHQEp.exe, 00000008.00000002.936423952.000000000751E000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager`
      Source: 7iatifHQEp.exe, 00000008.00000002.934522264.000000000647B000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: 7iatifHQEp.exe, 00000008.00000002.934356236.000000000624A000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: Program ManagerHaRk
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: 7iatifHQEp.exe, 00000008.00000002.935280208.0000000006CDE000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: 7iatifHQEp.exe, 00000008.00000002.927503705.0000000002E79000.00000004.00000001.sdmpBinary or memory string: Program Managerp
      Source: 7iatifHQEp.exe, 00000008.00000002.926153100.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: 7iatifHQEp.exe, 00000008.00000002.936423952.000000000751E000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager`
      Source: 7iatifHQEp.exe, 00000008.00000002.934522264.000000000647B000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Users\user\Desktop\7iatifHQEp.exe VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07794AD0 GetUserNameA,
      Source: C:\Users\user\Desktop\7iatifHQEp.exeCode function: 0_2_07794AD0 GetUserNameA,
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\7iatifHQEp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\7iatifHQEp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1500, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 3792, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 4640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5728, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORY
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: 7iatifHQEp.exe, 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: 7iatifHQEp.exe, 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: vlc.exe, 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: vlc.exe, 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: 7iatifHQEp.exe, 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: 7iatifHQEp.exe, 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: 7iatifHQEp.exe, 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: 7iatifHQEp.exe, 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 7iatifHQEp.exe, 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: vlc.exe, 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: vlc.exe, 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: vlc.exe, 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1500, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 3792, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 5624, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 4640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5728, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 6388, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6096, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 7iatifHQEp.exe PID: 4652, type: MEMORY
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.7iatifHQEp.exe.5570000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.7iatifHQEp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Disable or Modify Tools1Input Capture21Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder11Scheduled Task/Job1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder11Obfuscated Files or Information2Security Account ManagerSystem Information Discovery12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery211Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 319522 Sample: 7iatifHQEp.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 12 other signatures 2->67 8 7iatifHQEp.exe 1 6 2->8         started        12 vlc.exe 3 2->12         started        14 dhcpmon.exe 2->14         started        16 3 other processes 2->16 process3 file4 53 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 8->53 dropped 55 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 8->55 dropped 57 C:\Users\user\AppData\...\7iatifHQEp.exe.log, ASCII 8->57 dropped 71 Injects a PE file into a foreign processes 8->71 18 7iatifHQEp.exe 1 15 8->18         started        23 vlc.exe 12->23         started        25 vlc.exe 12->25         started        27 dhcpmon.exe 14->27         started        29 dhcpmon.exe 14->29         started        31 7iatifHQEp.exe 16->31         started        33 dhcpmon.exe 16->33         started        35 vlc.exe 16->35         started        signatures5 process6 dnsIp7 59 atacoinc8897.hopto.org 185.140.53.132, 2008, 49740 DAVID_CRAIGGG Sweden 18->59 45 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->45 dropped 47 C:\Users\user\AppData\Roaming\...\run.dat, data 18->47 dropped 49 C:\Users\user\AppData\Local\Temp\tmp52.tmp, XML 18->49 dropped 51 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->51 dropped 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->69 37 schtasks.exe 1 18->37         started        39 schtasks.exe 1 18->39         started        file8 signatures9 process10 process11 41 conhost.exe 37->41         started        43 conhost.exe 39->43         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      7iatifHQEp.exe23%VirustotalBrowse
      7iatifHQEp.exe15%ReversingLabs
      7iatifHQEp.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe15%ReversingLabs
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe15%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      8.2.7iatifHQEp.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      27.2.vlc.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      26.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      23.2.7iatifHQEp.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      29.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      31.2.vlc.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      atacoinc8897.hopto.org6%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cnJ0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/a-d0%Avira URL Cloudsafe
      http://www.urwpp.deo4(0%Avira URL Cloudsafe
      http://www.founder.com.cn/cnv-s0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/staff/dennis.htmn-ustr0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.fontbureau.comcomaD0%Avira URL Cloudsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/90%Avira URL Cloudsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/90%Avira URL Cloudsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/00%Avira URL Cloudsafe
      http://www.carterandcone.com=0%Avira URL Cloudsafe
      http://www.urwpp.de20%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
      http://www.carterandcone.comitk0%Avira URL Cloudsafe
      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.carterandcone.comJ0%Avira URL Cloudsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.tiro.comslnt0%URL Reputationsafe
      http://www.tiro.comslnt0%URL Reputationsafe
      http://www.tiro.comslnt0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/M0%Avira URL Cloudsafe
      http://www.fontbureau.co0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/a-da0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/D0%Avira URL Cloudsafe
      http://www.carterandcone.comw.c3-x0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/w0%Avira URL Cloudsafe
      http://www.fontbureau.come.com0%URL Reputationsafe
      http://www.fontbureau.come.com0%URL Reputationsafe
      http://www.fontbureau.come.com0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.fontbureau.comtx0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/w0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.founder.com.cn/cn50%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/Y0-d0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/j0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/tion0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      atacoinc8897.hopto.org
      		185.140.53.132
      		truetrueunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.fontbureau.com/designersG7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
          		high
          http://www.founder.com.cn/cnJ7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.founder.com.cn/cn/bThe7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers?7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
            		high
            http://www.jiyu-kobo.co.jp/a-d7iatifHQEp.exe, 00000000.00000003.663531498.0000000005D64000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.urwpp.deo4(7iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://www.founder.com.cn/cnv-s7iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.galapagosdesign.com/staff/dennis.htmn-ustr7iatifHQEp.exe, 00000000.00000003.669355371.0000000005D90000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tiro.comvlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersV7iatifHQEp.exe, 00000000.00000003.666404104.0000000005D90000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersE&7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.comcomaD7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designersvlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                  		high
                  http://www.goodfont.co.kr7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.com7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersP7iatifHQEp.exe, 00000000.00000003.665404943.0000000005D8F000.00000004.00000001.sdmpfalse
                    		high
                    http://www.jiyu-kobo.co.jp/jp/97iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.com7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/97iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.typography.netD7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cThe7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htm7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.com7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/07iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.com=7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.com/designersd7iatifHQEp.exe, 00000000.00000003.665207459.0000000005D8E000.00000004.00000001.sdmpfalse
                      		high
                      http://www.urwpp.de27iatifHQEp.exe, 00000000.00000003.665045505.0000000005D8E000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/DPlease7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Y07iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comitk7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.ascendercorp.com/typedesigners.html7iatifHQEp.exe, 00000000.00000003.664122612.0000000005D8E000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.com7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.sandoll.co.kr7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPlease7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersH&7iatifHQEp.exe, 00000000.00000003.666170417.0000000005D90000.00000004.00000001.sdmpfalse
                          		high
                          http://www.urwpp.de7iatifHQEp.exe, 00000000.00000003.666812222.0000000005D90000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665022443.0000000005D8E000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.666770593.0000000005D90000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cn7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comJ7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sakkal.com7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designerst7iatifHQEp.exe, 00000000.00000003.665427572.0000000005D8F000.00000004.00000001.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.07iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/~7iatifHQEp.exe, 00000000.00000003.665162800.0000000005D8E000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comslnt7iatifHQEp.exe, 00000000.00000003.663445500.0000000005D90000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/M7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.co7iatifHQEp.exe, 00000000.00000003.665230209.0000000005D8E000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/a-da7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/D7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comw.c3-x7iatifHQEp.exe, 00000000.00000003.663258848.0000000005D8F000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/w7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.come.com7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.coml7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comtx7iatifHQEp.exe, 00000000.00000002.750088522.0000000005D60000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlN7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/w7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cn7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.html7iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers/cabarga.html7iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmp, 7iatifHQEp.exe, 00000000.00000003.664076316.0000000005D6B000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn57iatifHQEp.exe, 00000000.00000003.662780983.0000000005D8E000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/Y0-d7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers87iatifHQEp.exe, 00000000.00000002.753586726.0000000006F72000.00000004.00000001.sdmp, 7iatifHQEp.exe, 0000000D.00000002.851136508.0000000005A80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.864852934.0000000006400000.00000002.00000001.sdmp, vlc.exe, 0000000F.00000002.861840629.0000000005990000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.881466008.0000000005620000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.884369428.00000000055B0000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/j7iatifHQEp.exe, 00000000.00000003.663884592.0000000005D6B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlx27iatifHQEp.exe, 00000000.00000003.666087051.0000000005D90000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/7iatifHQEp.exe, 00000000.00000003.665186452.0000000005D8E000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/tion7iatifHQEp.exe, 00000000.00000003.663762654.0000000005D65000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-user.html~7iatifHQEp.exe, 00000000.00000003.665682741.0000000005D8F000.00000004.00000001.sdmpfalse
                                                		high

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                185.140.53.132
                                                		unknownSweden
                                                		209623DAVID_CRAIGGGtrue

                                                General Information

                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                Analysis ID:319522
                                                Start date:18.11.2020
                                                Start time:11:57:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 13m 27s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:7iatifHQEp.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:33
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@28/14@1/1
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 0.5% (good quality ratio 0.4%)
                                                • Quality average: 63.3%
                                                • Quality standard deviation: 32.5%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                • TCP Packets have been reduced to 100
                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 52.147.198.201, 92.122.145.220, 52.255.188.83, 51.104.139.180, 13.107.4.50, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247
                                                • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, Edge-Prod-FRAr4a.env.au.au-msedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, au.au-msedge.net, store-images.s-microsoft.com, au.c-0001.c-msedge.net
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                11:58:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
                                                11:58:36Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\7iatifHQEp.exe" s>$(Arg0)
                                                11:58:36API Interceptor678x Sleep call for process: 7iatifHQEp.exe modified
                                                11:58:38Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                                11:58:39AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                11:58:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                185.140.53.132Do43p0ghpz.exeGet hashmaliciousBrowse
                                                  zWKtabs92B.exeGet hashmaliciousBrowse
                                                    0076364_00533MXS2.jarGet hashmaliciousBrowse
                                                      Atlas Home Products Inc RFQ_pdf.jarGet hashmaliciousBrowse
                                                        Payment Advice Hsbc_pdf.jarGet hashmaliciousBrowse
                                                          NOTIFICA DI ARRIVO DHL_PDF.jarGet hashmaliciousBrowse
                                                            NOTIFICA DI ARRIVO DHL_PDF.jarGet hashmaliciousBrowse
                                                              BOLDROCCHI SRL ITALY QUOTATION REQUEST_PDF.jarGet hashmaliciousBrowse
                                                                REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                                                                  REQUEST FOR QUOTATION_pdf.jarGet hashmaliciousBrowse
                                                                    REQUEST FOR QUOTATION_pdf.jarGet hashmaliciousBrowse
                                                                      Yasuda Kogyo Thailand Co Ltd Request For Quotation_pdf.jarGet hashmaliciousBrowse
                                                                        Yasuda Kogyo Thailand Co Ltd Request For Quotation_pdf.jarGet hashmaliciousBrowse
                                                                          Ziraat Bankasi Swift_pdf.jarGet hashmaliciousBrowse
                                                                            YI SHNUFA REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                                                                              YI SHNUFA REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                                                                                TyRSrOojgV.exeGet hashmaliciousBrowse
                                                                                  2KGU6Ue1fD.exeGet hashmaliciousBrowse
                                                                                    DvYWRCSr5w.exeGet hashmaliciousBrowse
                                                                                      PURCHASE09812.exeGet hashmaliciousBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        atacoinc8897.hopto.orgDo43p0ghpz.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.132
                                                                                        zWKtabs92B.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.132
                                                                                        wIeFid8p7Q.exeGet hashmaliciousBrowse
                                                                                        • 103.125.189.164
                                                                                        gSTnUDrWFe.exeGet hashmaliciousBrowse
                                                                                        • 185.244.26.199
                                                                                        FpK385nmHk.exeGet hashmaliciousBrowse
                                                                                        • 185.244.26.199
                                                                                        7sbXVpHq6E.exeGet hashmaliciousBrowse
                                                                                        • 185.244.26.199
                                                                                        Z08LsyTAN6.exeGet hashmaliciousBrowse
                                                                                        • 103.125.189.164
                                                                                        oIgeDSRrq4.exeGet hashmaliciousBrowse
                                                                                        • 23.105.131.174
                                                                                        OGKH8KZq2Z.exeGet hashmaliciousBrowse
                                                                                        • 23.105.131.174
                                                                                        INVOICE.docGet hashmaliciousBrowse
                                                                                        • 23.105.131.174

                                                                                        ASN

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        DAVID_CRAIGGGSbext4ZNBq.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.197
                                                                                        xEdiPz1bC3.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.234
                                                                                        7D1wvBrRib.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.234
                                                                                        O8LDCTOK07.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.233
                                                                                        aE78QTkV5H.exeGet hashmaliciousBrowse
                                                                                        • 185.244.30.98
                                                                                        DHL Shipment Notice of Arrival AWB 8032697940773.jsGet hashmaliciousBrowse
                                                                                        • 185.165.153.158
                                                                                        ORDER-#00654.doc.....exeGet hashmaliciousBrowse
                                                                                        • 185.165.153.116
                                                                                        SMJshb9rCD.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.154
                                                                                        vUQV0nqjYx.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.182
                                                                                        Do43p0ghpz.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.132
                                                                                        DHL ShipmentDHL Shipment 237590.pdf.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.207
                                                                                        7GAi7ZFQz8.exeGet hashmaliciousBrowse
                                                                                        • 185.165.153.116
                                                                                        KL0DeoXZFx.dllGet hashmaliciousBrowse
                                                                                        • 91.193.75.78
                                                                                        C1jkp1o3Vl.dllGet hashmaliciousBrowse
                                                                                        • 185.140.53.152
                                                                                        fYRqcuLMYk.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.137
                                                                                        02oBhZg39b.exeGet hashmaliciousBrowse
                                                                                        • 185.244.30.112
                                                                                        7crYMLdmCL.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.234
                                                                                        Sw4rkFUNJt.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.137
                                                                                        qelMUH5CPF.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.149
                                                                                        zWKtabs92B.exeGet hashmaliciousBrowse
                                                                                        • 185.140.53.132

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):811008
                                                                                        Entropy (8bit):7.082080403210023
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:JIUpevuzaBAGteHzdAaLMS3EtEOv5+RlC8+lEvKlJfF05Ibmu9EgeIKxAtWK:Lza2GtGAXhEXRlCbH
                                                                                        MD5:2AB285BA8F3215A095FC99C969A375C0
                                                                                        SHA1:4B8D19B22ED5562A7677DC7F5E5FE5A7167549F5
                                                                                        SHA-256:BC36FA2314F4E45645AF22CA75887B7B627DE4A65BFD1D274F18E7FC1975C8E4
                                                                                        SHA-512:573A1720F9F4A0B112A972BA55AB9C4D17F8AB8AC4D08BA6DCE21DB8925761F0E5CCC4E41B3545CA0A19FF593AE0B83544B37F57240A1E78774B4E4DC2903310
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 15%
                                                                                        Reputation:low
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.._.....................z........... ... ....@.. ....................................@.................................D...J.... ...v........................................................................... ............... ..H............text........ ...................... ..`.rsrc....v... ...x..................@..@.reloc...............^..............@..B................t.......H............E..............p"..........................................N+.+.*(m...+.(V...+.6.(.....(g...*..>+.+.*.+.(....+..0..I........-.+',.+&{....,.+ {....+..,..,.+.+..,.&&.-.*.+..+..+.o....+..+..+.(....+......(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(.
                                                                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7iatifHQEp.exe.log
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):1119
                                                                                        Entropy (8bit):5.356708753875314
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                                        MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                                        SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                                        SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                                        SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                                        Malicious:true
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1119
                                                                                        Entropy (8bit):5.356708753875314
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                                        MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                                        SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                                        SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                                        SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log
                                                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1119
                                                                                        Entropy (8bit):5.356708753875314
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                                        MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                                        SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                                        SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                                        SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                                        Malicious:false
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                        C:\Users\user\AppData\Local\Temp\tmp37F.tmp
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1310
                                                                                        Entropy (8bit):5.109425792877704
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                                        MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                                        SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                                        SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                                        SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                                        Malicious:false
                                                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                        C:\Users\user\AppData\Local\Temp\tmp52.tmp
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1300
                                                                                        Entropy (8bit):5.10468653885933
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0YkCxtn:cbk4oL600QydbQxIYODOLedq3Nj
                                                                                        MD5:7B2330246D352470D40A3CF9AFB7DF22
                                                                                        SHA1:090EDAEC13EFD731E0AF391F245B059B8C2B2303
                                                                                        SHA-256:7DDDBFD2E795938A056485FAEB03947116626C21FD000C1AC892566E4CDABF27
                                                                                        SHA-512:9628C56680323A8A57B6AD27055C1E504164BA0F6721F9555F72715F3F070D4A7CB0D11A40456241DD3BA21B469576D03371D793024388273D11B48C42E69255
                                                                                        Malicious:true
                                                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):232
                                                                                        Entropy (8bit):7.089541637477408
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
                                                                                        MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
                                                                                        SHA1:76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
                                                                                        SHA-256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
                                                                                        SHA-512:93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
                                                                                        Malicious:false
                                                                                        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&
                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):8
                                                                                        Entropy (8bit):3.0
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:XE9t:k
                                                                                        MD5:2AE5D43A0C74E5D9BBA4FA5DB4DD2345
                                                                                        SHA1:0866AFA7D31872559551FBB7D137D40100915810
                                                                                        SHA-256:FF7CE978C1D3E2BFE33296404C2F6FC8C5E89336C27273C68E06251BA3833B92
                                                                                        SHA-512:7F16C2754D2F71585E122B646439D4FF441EF8017C4ECD216316142238B7D75BD0E79F0C2B1DA8CD765510E19586913FE43992F0979D89DC0FE1B660BEB7448C
                                                                                        Malicious:true
                                                                                        Preview: .....H
                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:data
                                                                                        Category:modified
                                                                                        Size (bytes):40
                                                                                        Entropy (8bit):5.153055907333276
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                                                        MD5:4E5E92E2369688041CC82EF9650EDED2
                                                                                        SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                                                        SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                                                        SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                                                        Malicious:false
                                                                                        Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):327768
                                                                                        Entropy (8bit):7.999367066417797
                                                                                        Encrypted:true
                                                                                        SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
                                                                                        MD5:2E52F446105FBF828E63CF808B721F9C
                                                                                        SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
                                                                                        SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
                                                                                        SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
                                                                                        Malicious:false
                                                                                        Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):37
                                                                                        Entropy (8bit):4.247030650103631
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:oNt+WfWSME4t0fC:oNwvSF4t0K
                                                                                        MD5:92DB28D61318824ABC7279FA247CBF99
                                                                                        SHA1:E31A7C34F6F0874669F9129E37CD6433905B8884
                                                                                        SHA-256:DBB10276ED41703245EF28CCE0D0A59C20DCDB59FF21F0EA778BC519F3167A9F
                                                                                        SHA-512:9C0640DB7F395831BEBC15EB13FCEF6B0864C75A550038CFC14698BE6345FC80620D99EEA8FC1114A8885430660B540FB514EC05BAD40E230F538B5C51FD74FA
                                                                                        Malicious:false
                                                                                        Preview: C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):811008
                                                                                        Entropy (8bit):7.082080403210023
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:JIUpevuzaBAGteHzdAaLMS3EtEOv5+RlC8+lEvKlJfF05Ibmu9EgeIKxAtWK:Lza2GtGAXhEXRlCbH
                                                                                        MD5:2AB285BA8F3215A095FC99C969A375C0
                                                                                        SHA1:4B8D19B22ED5562A7677DC7F5E5FE5A7167549F5
                                                                                        SHA-256:BC36FA2314F4E45645AF22CA75887B7B627DE4A65BFD1D274F18E7FC1975C8E4
                                                                                        SHA-512:573A1720F9F4A0B112A972BA55AB9C4D17F8AB8AC4D08BA6DCE21DB8925761F0E5CCC4E41B3545CA0A19FF593AE0B83544B37F57240A1E78774B4E4DC2903310
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 15%
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.._.....................z........... ... ....@.. ....................................@.................................D...J.... ...v........................................................................... ............... ..H............text........ ...................... ..`.rsrc....v... ...x..................@..@.reloc...............^..............@..B................t.......H............E..............p"..........................................N+.+.*(m...+.(V...+.6.(.....(g...*..>+.+.*.+.(....+..0..I........-.+',.+&{....,.+ {....+..,..,.+.+..,.&&.-.*.+..+..+.o....+..+..+.(....+......(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(.
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe:Zone.Identifier
                                                                                        Process:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Preview: [ZoneTransfer]....ZoneId=0

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.082080403210023
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        File name:7iatifHQEp.exe
                                                                                        File size:811008
                                                                                        MD5:2ab285ba8f3215a095fc99c969a375c0
                                                                                        SHA1:4b8d19b22ed5562a7677dc7f5e5fe5a7167549f5
                                                                                        SHA256:bc36fa2314f4e45645af22ca75887b7b627de4a65bfd1d274f18e7fc1975c8e4
                                                                                        SHA512:573a1720f9f4a0b112a972ba55ab9c4d17f8ab8ac4d08ba6dce21db8925761f0e5ccc4e41b3545ca0a19ff593ae0b83544b37f57240a1e78774b4e4dc2903310
                                                                                        SSDEEP:12288:JIUpevuzaBAGteHzdAaLMS3EtEOv5+RlC8+lEvKlJfF05Ibmu9EgeIKxAtWK:Lza2GtGAXhEXRlCbH
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.._.....................z........... ... ....@.. ....................................@................................

                                                                                        File Icon

                                                                                        Icon Hash:74f2dbb284c2e2ee

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x48028e
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                        Time Stamp:0x5FB48348 [Wed Nov 18 02:13:28 2020 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x802440x4a.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x47615.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x7e2940x7e400False0.947399056312data7.93849654903IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x820000x476150x47800False0.200174825175data4.66083231207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0xca0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountry
                                                                                        RT_ICON0x8208c0x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
                                                                                        RT_ICON0xc40d80x25a8data
                                                                                        RT_ICON0xc66a40x10a8data
                                                                                        RT_ICON0xc77700x988data
                                                                                        RT_ICON0xc811c0x468GLS_BINARY_LSB_FIRST
                                                                                        RT_GROUP_ICON0xc85c00x4cdata
                                                                                        RT_VERSION0xc86480x33cdata
                                                                                        RT_MANIFEST0xc89c00xc55XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Version Infos

                                                                                        DescriptionData
                                                                                        Translation0x0000 0x04b0
                                                                                        LegalCopyright(c) 2020 Skype and/or Microsoft
                                                                                        Assembly Version8.61.0.87
                                                                                        InternalNamePOP.exe
                                                                                        FileVersion8.61.0.87
                                                                                        CompanyNameSkype Technologies S.A.
                                                                                        CommentsSkype Setup
                                                                                        ProductNameSkype
                                                                                        ProductVersion8.61.0.87
                                                                                        FileDescriptionSkype Setup
                                                                                        OriginalFilenamePOP.exe

                                                                                        Network Behavior

                                                                                        Snort IDS Alerts

                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                        11/18/20-11:58:38.981958TCP2025019ET TROJAN Possible NanoCore C2 60B497402008192.168.2.4185.140.53.132

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 18, 2020 11:58:38.711035967 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:38.929177999 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:38.930305004 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:38.981957912 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:39.210066080 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:39.217971087 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:39.437911034 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:39.468616962 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:39.752727032 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:39.752876043 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.035464048 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.044193983 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.044223070 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.044240952 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.044337034 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.044461012 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.044564962 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.263046980 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263077974 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263096094 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263154030 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263171911 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.263237953 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.263257027 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263279915 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263294935 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263314009 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.263322115 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.263406992 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.480839014 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.480870008 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.480973005 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.481910944 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484441042 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484466076 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484493971 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484509945 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484525919 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484539032 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484550953 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484561920 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484571934 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.484587908 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.484594107 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484611034 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484617949 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.484632969 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484644890 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.484666109 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.485060930 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.699049950 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.699076891 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.699091911 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.699112892 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.699150085 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.699184895 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702172995 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702203035 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702254057 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702274084 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702285051 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702342987 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702397108 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702459097 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702507019 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702752113 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702779055 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702794075 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702816010 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702830076 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702861071 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702868938 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702897072 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702939034 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702965021 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.702975988 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.702991962 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703007936 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703027010 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703042984 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703052044 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703063965 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703087091 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703097105 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703118086 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703149080 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703176022 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703182936 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703200102 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703217030 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703223944 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703239918 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703253984 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.703282118 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.703300953 CET497402008192.168.2.4185.140.53.132
                                                                                        Nov 18, 2020 11:58:40.916192055 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.916273117 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.916297913 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.916315079 CET200849740185.140.53.132192.168.2.4
                                                                                        Nov 18, 2020 11:58:40.916330099 CET200849740185.140.53.132192.168.2.4

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 18, 2020 11:57:49.653585911 CET6529853192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:49.680577040 CET53652988.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:51.361126900 CET5912353192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:51.388252974 CET53591238.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:52.081000090 CET5453153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:52.116302013 CET53545318.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:52.512145996 CET4971453192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:52.539290905 CET53497148.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:53.606643915 CET5802853192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:53.636061907 CET53580288.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:56.131905079 CET5309753192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:56.159998894 CET53530978.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:56.959647894 CET4925753192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:56.986934900 CET53492578.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:58.039235115 CET6238953192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:58.082623005 CET53623898.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:58.933356047 CET4991053192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:58.960411072 CET53499108.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:57:59.713067055 CET5585453192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:57:59.740192890 CET53558548.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:00.418561935 CET6454953192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:00.445698023 CET53645498.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:01.297748089 CET6315353192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:01.333014011 CET53631538.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:02.099831104 CET5299153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:02.135205030 CET53529918.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:02.771399021 CET5370053192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:02.798860073 CET53537008.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:03.486097097 CET5172653192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:03.513406992 CET53517268.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:04.210117102 CET5679453192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:04.237381935 CET53567948.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:05.015455961 CET5653453192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:05.042644024 CET53565348.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:05.695656061 CET5662753192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:05.722738981 CET53566278.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:06.373281002 CET5662153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:06.400357008 CET53566218.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:07.033508062 CET6311653192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:07.089931011 CET53631168.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:07.712860107 CET6407853192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:07.739938021 CET53640788.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:22.398978949 CET6480153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:22.426115990 CET53648018.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:38.663141966 CET6172153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:38.700674057 CET53617218.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:39.067317009 CET5125553192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:39.094420910 CET53512558.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:45.577871084 CET6152253192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:45.617377043 CET53615228.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:47.066999912 CET5233753192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:47.123790979 CET53523378.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:49.170727015 CET5504653192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:49.206267118 CET53550468.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:49.522612095 CET4961253192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:49.558015108 CET53496128.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:50.000792027 CET4928553192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:50.027971029 CET53492858.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:50.745896101 CET5060153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:50.781511068 CET53506018.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:51.273139954 CET6087553192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:51.300228119 CET53608758.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:51.460912943 CET5644853192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:51.496370077 CET53564488.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:52.538747072 CET5917253192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:52.574165106 CET53591728.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:53.427572012 CET6242053192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:53.464175940 CET53624208.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:58:53.976187944 CET6057953192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:58:54.011662960 CET53605798.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:59:05.782891035 CET5018353192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:59:05.819732904 CET53501838.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:59:32.995410919 CET6153153192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:59:33.022480965 CET53615318.8.8.8192.168.2.4
                                                                                        Nov 18, 2020 11:59:35.417139053 CET4922853192.168.2.48.8.8.8
                                                                                        Nov 18, 2020 11:59:35.444271088 CET53492288.8.8.8192.168.2.4

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                        Nov 18, 2020 11:58:38.663141966 CET192.168.2.48.8.8.80x4e5cStandard query (0)atacoinc8897.hopto.orgA (IP address)IN (0x0001)

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                        Nov 18, 2020 11:58:38.700674057 CET8.8.8.8192.168.2.40x4e5cNo error (0)atacoinc8897.hopto.org185.140.53.132A (IP address)IN (0x0001)

                                                                                        Code Manipulations

                                                                                        Statistics

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        Analysis Process: 7iatifHQEp.exe PID: 6388 Parent PID: 5872

                                                                                        General

                                                                                        Start time:11:57:54
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\Desktop\7iatifHQEp.exe'
                                                                                        Imagebase:0xae0000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.746986118.0000000003EA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Analysis Process: 7iatifHQEp.exe PID: 4652 Parent PID: 6388

                                                                                        General

                                                                                        Start time:11:58:32
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Imagebase:0x910000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935726656.00000000070F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.928378720.0000000003DB0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.927401574.0000000002DD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.936085002.0000000007170000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935450830.00000000070A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935890980.0000000007120000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935611468.00000000070D0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935832934.0000000007110000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.933797828.0000000005360000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935995077.0000000007140000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.933981268.0000000005570000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935790597.0000000007100000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.935939535.0000000007130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.924198809.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.930001764.0000000004040000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.936154770.00000000071B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.936061414.0000000007160000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.927267258.0000000002D51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.934706892.00000000066C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        Reputation:low

                                                                                        Analysis Process: schtasks.exe PID: 4780 Parent PID: 4652

                                                                                        General

                                                                                        Start time:11:58:34
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp52.tmp'
                                                                                        Imagebase:0x3b0000
                                                                                        File size:185856 bytes
                                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Analysis Process: conhost.exe PID: 3400 Parent PID: 4780

                                                                                        General

                                                                                        Start time:11:58:35
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff724c50000
                                                                                        File size:625664 bytes
                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Analysis Process: schtasks.exe PID: 3416 Parent PID: 4652

                                                                                        General

                                                                                        Start time:11:58:35
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp37F.tmp'
                                                                                        Imagebase:0x3b0000
                                                                                        File size:185856 bytes
                                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Analysis Process: conhost.exe PID: 4824 Parent PID: 3416

                                                                                        General

                                                                                        Start time:11:58:36
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff724c50000
                                                                                        File size:625664 bytes
                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Analysis Process: 7iatifHQEp.exe PID: 5624 Parent PID: 968

                                                                                        General

                                                                                        Start time:11:58:36
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\Desktop\7iatifHQEp.exe 0
                                                                                        Imagebase:0x620000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.840650413.0000000003AD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Analysis Process: dhcpmon.exe PID: 6096 Parent PID: 968

                                                                                        General

                                                                                        Start time:11:58:38
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                                        Imagebase:0xfb0000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.849442029.0000000004359000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 15%, ReversingLabs
                                                                                        Reputation:low

                                                                                        Analysis Process: vlc.exe PID: 5728 Parent PID: 3424

                                                                                        General

                                                                                        Start time:11:58:39
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                                                                        Imagebase:0x540000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.847853177.0000000003A59000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 15%, ReversingLabs
                                                                                        Reputation:low

                                                                                        Analysis Process: dhcpmon.exe PID: 6848 Parent PID: 3424

                                                                                        General

                                                                                        Start time:11:58:48
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                                        Imagebase:0x7ff77ba70000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.876859982.0000000003509000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Analysis Process: vlc.exe PID: 4640 Parent PID: 3424

                                                                                        General

                                                                                        Start time:11:58:56
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                                                                        Imagebase:0x100000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.879176577.00000000034F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Analysis Process: 7iatifHQEp.exe PID: 5932 Parent PID: 5624

                                                                                        General

                                                                                        Start time:11:59:11
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\Desktop\7iatifHQEp.exe
                                                                                        Imagebase:0x5c0000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.854990817.0000000003A29000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.854235134.0000000002A21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.845403673.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Analysis Process: vlc.exe PID: 684 Parent PID: 5728

                                                                                        General

                                                                                        Start time:11:59:12
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Imagebase:0x210000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low

                                                                                        Analysis Process: dhcpmon.exe PID: 4804 Parent PID: 6096

                                                                                        General

                                                                                        Start time:11:59:14
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Imagebase:0xbe0000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.864624288.00000000030F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.857765386.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.864967146.00000000040F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Analysis Process: vlc.exe PID: 3792 Parent PID: 5728

                                                                                        General

                                                                                        Start time:11:59:15
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Imagebase:0x880000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.863525827.0000000003D49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.858367673.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.862885363.0000000002D41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Analysis Process: dhcpmon.exe PID: 6988 Parent PID: 6848

                                                                                        General

                                                                                        Start time:11:59:26
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Imagebase:0x1d0000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low

                                                                                        Analysis Process: dhcpmon.exe PID: 6576 Parent PID: 6848

                                                                                        General

                                                                                        Start time:11:59:29
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                        Imagebase:0xd90000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.887121991.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.894008602.0000000003111000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.894711914.0000000004119000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Analysis Process: vlc.exe PID: 1500 Parent PID: 4640

                                                                                        General

                                                                                        Start time:11:59:30
                                                                                        Start date:18/11/2020
                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                                                        Imagebase:0x700000
                                                                                        File size:811008 bytes
                                                                                        MD5 hash:2AB285BA8F3215A095FC99C969A375C0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.896227752.0000000003C39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.888778065.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.895996724.0000000002C31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        Disassembly

                                                                                        Code Analysis

                                                                                        Reset < >