Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 1kn1ejwPxi.exe

Overview

General Information

Sample Name:1kn1ejwPxi.exe
Analysis ID:319525
MD5:d4dc21771af067f1a4e1be14a06d9628
SHA1:4eceb759e8ce69e05bf0d4f634273ae9768b5561
SHA256:6e6132e3f3bc119adac878ba65475b581698e8dd7d2169f984bb5eb232f6b3c6
Tags:exeNanoCorenVpnRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 1kn1ejwPxi.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\1kn1ejwPxi.exe' MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • 1kn1ejwPxi.exe (PID: 5748 cmdline: C:\Users\user\Desktop\1kn1ejwPxi.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • 1kn1ejwPxi.exe (PID: 5844 cmdline: C:\Users\user\Desktop\1kn1ejwPxi.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • 1kn1ejwPxi.exe (PID: 6592 cmdline: C:\Users\user\Desktop\1kn1ejwPxi.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • 1kn1ejwPxi.exe (PID: 6516 cmdline: C:\Users\user\Desktop\1kn1ejwPxi.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
      • schtasks.exe (PID: 6672 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6644 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA1D4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 1kn1ejwPxi.exe (PID: 6632 cmdline: C:\Users\user\Desktop\1kn1ejwPxi.exe 0 MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • 1kn1ejwPxi.exe (PID: 5340 cmdline: C:\Users\user\Desktop\1kn1ejwPxi.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
  • vlc.exe (PID: 7148 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • vlc.exe (PID: 5364 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • vlc.exe (PID: 5392 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
  • dhcpmon.exe (PID: 5728 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • dhcpmon.exe (PID: 5568 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
  • dhcpmon.exe (PID: 6212 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • dhcpmon.exe (PID: 5012 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
  • vlc.exe (PID: 6480 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • vlc.exe (PID: 3588 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • vlc.exe (PID: 6940 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
    • vlc.exe (PID: 6928 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: D4DC21771AF067F1A4E1BE14A06D9628)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.624204849.00000000071D0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5fee:$x1: NanoCore.ClientPluginHost
  • 0x602b:$x2: IClientNetworkHost
00000009.00000002.624204849.00000000071D0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5fee:$x2: NanoCore.ClientPluginHost
  • 0x9441:$s4: PipeCreated
  • 0x6018:$s5: IClientLoggingHost
0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x435cd:$a: NanoCore
    • 0x43626:$a: NanoCore
    • 0x43663:$a: NanoCore
    • 0x436dc:$a: NanoCore
    • 0x56d87:$a: NanoCore
    • 0x56d9c:$a: NanoCore
    • 0x56dd1:$a: NanoCore
    • 0x6fd73:$a: NanoCore
    • 0x6fd88:$a: NanoCore
    • 0x6fdbd:$a: NanoCore
    • 0x4362f:$b: ClientPlugin
    • 0x4366c:$b: ClientPlugin
    • 0x43f6a:$b: ClientPlugin
    • 0x43f77:$b: ClientPlugin
    • 0x56b43:$b: ClientPlugin
    • 0x56b5e:$b: ClientPlugin
    • 0x56b8e:$b: ClientPlugin
    • 0x56da5:$b: ClientPlugin
    • 0x56dda:$b: ClientPlugin
    • 0x6fb2f:$b: ClientPlugin
    • 0x6fb4a:$b: ClientPlugin
    00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x146bd:$x1: NanoCore.ClientPluginHost
    • 0x146fa:$x2: IClientNetworkHost
    • 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 137 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    9.2.1kn1ejwPxi.exe.7130000.12.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2205:$x1: NanoCore.ClientPluginHost
    • 0x223e:$x2: IClientNetworkHost
    9.2.1kn1ejwPxi.exe.7130000.12.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2205:$x2: NanoCore.ClientPluginHost
    • 0x2320:$s4: PipeCreated
    • 0x221f:$s5: IClientLoggingHost
    9.2.1kn1ejwPxi.exe.7150000.14.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x39eb:$x1: NanoCore.ClientPluginHost
    • 0x3a24:$x2: IClientNetworkHost
    9.2.1kn1ejwPxi.exe.7150000.14.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x39eb:$x2: NanoCore.ClientPluginHost
    • 0x3b36:$s4: PipeCreated
    • 0x3a05:$s5: IClientLoggingHost
    9.2.1kn1ejwPxi.exe.7100000.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x16e3:$x1: NanoCore.ClientPluginHost
    • 0x171c:$x2: IClientNetworkHost
    Click to see the 71 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1kn1ejwPxi.exe, ProcessId: 6516, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\1kn1ejwPxi.exe, ParentImage: C:\Users\user\Desktop\1kn1ejwPxi.exe, ParentProcessId: 6516, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp', ProcessId: 6672

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: vlc.exe.5392.27.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
    Source: vlc.exe.5392.27.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
    Multi AV Scanner detection for domain / URLShow sources
    Source: atacoinc8897.hopto.orgVirustotal: Detection: 6%Perma Link
    Source: atacoinc8897.hopto.orgVirustotal: Detection: 6%Perma Link
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 16%Perma Link
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 48%
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeVirustotal: Detection: 16%Perma Link
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 48%
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 16%Perma Link
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 48%
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeVirustotal: Detection: 16%Perma Link
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 48%
    Multi AV Scanner detection for submitted fileShow sources
    Source: 1kn1ejwPxi.exeVirustotal: Detection: 16%Perma Link
    Source: 1kn1ejwPxi.exeReversingLabs: Detection: 48%
    Source: 1kn1ejwPxi.exeVirustotal: Detection: 16%Perma Link
    Source: 1kn1ejwPxi.exeReversingLabs: Detection: 48%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.616627338.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.569706588.0000000003061000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.621144468.0000000004AC4000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.534348993.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620462893.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620703151.0000000004792000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.551029791.0000000003061000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000002.530452666.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6480, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 7148, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6928, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
    Source: Yara matchFile source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.6470000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.6470000.6.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: 1kn1ejwPxi.exeJoe Sandbox ML: detected
    Source: 1kn1ejwPxi.exeJoe Sandbox ML: detected
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 35.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 27.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 28.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 30.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 35.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 27.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 28.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 30.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
    Source: global trafficTCP traffic: 192.168.2.6:49740 -> 185.140.53.132:2008
    Source: global trafficTCP traffic: 192.168.2.6:49740 -> 185.140.53.132:2008
    Source: Joe Sandbox ViewIP Address: 185.140.53.132 185.140.53.132
    Source: Joe Sandbox ViewIP Address: 185.140.53.132 185.140.53.132
    Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
    Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
    Source: unknownDNS traffic detected: queries for: atacoinc8897.hopto.org
    Source: unknownDNS traffic detected: queries for: atacoinc8897.hopto.org
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: 1kn1ejwPxi.exe, 00000000.00000002.424650711.000000000134B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: 1kn1ejwPxi.exe, 00000000.00000002.424650711.000000000134B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: 1kn1ejwPxi.exe, 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
    Source: 1kn1ejwPxi.exe, 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.616627338.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.569706588.0000000003061000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.621144468.0000000004AC4000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.534348993.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620462893.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620703151.0000000004792000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.551029791.0000000003061000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000002.530452666.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6480, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 7148, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6928, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
    Source: Yara matchFile source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.6470000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.6470000.6.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000009.00000002.624204849.00000000071D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.624040800.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.622024902.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.624092570.0000000007180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.623866439.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.621027784.00000000049D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.623238450.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.623644523.00000000070C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.623826686.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000023.00000002.569706588.0000000003061000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.621144468.0000000004AC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000003.611686179.0000000004AE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.624006580.0000000007150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.623969104.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.623897987.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001C.00000002.534348993.0000000002EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.620462893.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.623932235.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.624127580.0000000007190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.620703151.0000000004792000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.551029791.0000000003061000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000002.530452666.0000000002F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: vlc.exe PID: 5392, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: vlc.exe PID: 5392, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: vlc.exe PID: 6480, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: vlc.exe PID: 6480, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: vlc.exe PID: 7148, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: vlc.exe PID: 7148, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: vlc.exe PID: 6928, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: vlc.exe PID: 6928, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7120000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.54f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.624204849.00000000071D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.624040800.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.622024902.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.624092570.0000000007180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.623866439.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.621027784.00000000049D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.623238450.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.623644523.00000000070C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.623826686.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000023.00000002.569706588.0000000003061000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.621144468.0000000004AC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000003.611686179.0000000004AE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.624006580.0000000007150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.623969104.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.623897987.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001C.00000002.534348993.0000000002EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.620462893.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.623932235.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.624127580.0000000007190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.620703151.0000000004792000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.551029791.0000000003061000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000002.530452666.0000000002F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: vlc.exe PID: 5392, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: vlc.exe PID: 5392, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: vlc.exe PID: 6480, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: vlc.exe PID: 6480, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: vlc.exe PID: 7148, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: vlc.exe PID: 7148, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: vlc.exe PID: 6928, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: vlc.exe PID: 6928, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7120000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.54f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FA7D98
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FAA080
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FAA07A
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FAB1D0
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FAB1C0
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_05B7BEF0
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_05B7BC78
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FA7D98
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FAA080
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FAA07A
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FAB1D0
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FAB1C0
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_05B7BEF0
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_05B7BC78
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 9_2_069602B0
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 9_2_015AE471
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 9_2_015AE480
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 9_2_015ABBD4
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 9_2_0545F5F8
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 9_2_05459788
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 9_2_0545A580
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 17_2_018E7D98
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 17_2_018EB1C0
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 17_2_018EB1D0
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 17_2_05D8BEF0
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 17_2_05D8BC78
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 18_2_014A81E0
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 18_2_014A81D1
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 18_2_014A7F87
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_012A7D98
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_012AB1D0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_059BBEF0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_059BBC78
    Source: 1kn1ejwPxi.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: dhcpmon.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: 1kn1ejwPxi.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: dhcpmon.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: 1kn1ejwPxi.exe, 00000000.00000002.422849000.0000000000D0E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKelkmeofmrfus.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000000.00000002.424650711.000000000134B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000000.00000002.429332486.0000000005640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000000.00000002.429428590.00000000056B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000004.00000002.414875792.000000000027E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000006.00000002.416916059.000000000038E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000008.00000002.419017484.000000000034E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exeBinary or memory string: OriginalFilename vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000003.439811964.0000000006C01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.613770232.0000000000B2E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.624040800.0000000007160000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.622648242.0000000006370000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.621027784.00000000049D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.621027784.00000000049D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.621027784.00000000049D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000011.00000002.511162363.00000000059E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKelkmeofmrfus.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000011.00000002.511392368.0000000005A40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000011.00000002.499857428.0000000000F3E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000011.00000002.510652338.00000000056D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000019.00000000.498230563.000000000105E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exeBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000000.00000002.422849000.0000000000D0E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKelkmeofmrfus.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000000.00000002.424650711.000000000134B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000000.00000002.429332486.0000000005640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000000.00000002.429428590.00000000056B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000004.00000002.414875792.000000000027E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000006.00000002.416916059.000000000038E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000008.00000002.419017484.000000000034E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exeBinary or memory string: OriginalFilename vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000003.439811964.0000000006C01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.613770232.0000000000B2E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.624040800.0000000007160000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.622648242.0000000006370000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.621027784.00000000049D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.621027784.00000000049D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.621027784.00000000049D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000011.00000002.511162363.00000000059E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKelkmeofmrfus.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000011.00000002.511392368.0000000005A40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000011.00000002.499857428.0000000000F3E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000011.00000002.510652338.00000000056D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000019.00000000.498230563.000000000105E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exe, 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 1kn1ejwPxi.exe
    Source: 1kn1ejwPxi.exeBinary or memory string: OriginalFilenamePOP.exe, vs 1kn1ejwPxi.exe
    Source: 00000009.00000002.624204849.00000000071D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.624204849.00000000071D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.624040800.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.624040800.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.622024902.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.622024902.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.624092570.0000000007180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.624092570.0000000007180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.623866439.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623866439.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.621027784.00000000049D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.623238450.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623238450.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.623644523.00000000070C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623644523.00000000070C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.623826686.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623826686.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000023.00000002.569706588.0000000003061000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.621144468.0000000004AC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000003.611686179.0000000004AE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.624006580.0000000007150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.624006580.0000000007150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.623969104.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623969104.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.623897987.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623897987.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001C.00000002.534348993.0000000002EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.620462893.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.623932235.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623932235.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.624127580.0000000007190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.624127580.0000000007190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.620703151.0000000004792000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.551029791.0000000003061000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000002.530452666.0000000002F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: vlc.exe PID: 5392, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: vlc.exe PID: 5392, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: vlc.exe PID: 6480, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: vlc.exe PID: 6480, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: vlc.exe PID: 7148, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: vlc.exe PID: 7148, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: vlc.exe PID: 6928, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: vlc.exe PID: 6928, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7120000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7120000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.54f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.54f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.624204849.00000000071D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.624204849.00000000071D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.624040800.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.624040800.0000000007160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.622024902.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.622024902.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.624092570.0000000007180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.624092570.0000000007180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.623866439.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623866439.0000000007110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.621027784.00000000049D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.623238450.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623238450.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.623644523.00000000070C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623644523.00000000070C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.623826686.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623826686.0000000007100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000023.00000002.569706588.0000000003061000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.621144468.0000000004AC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000003.611686179.0000000004AE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.624006580.0000000007150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.624006580.0000000007150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.623969104.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623969104.0000000007140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.623897987.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623897987.0000000007120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001C.00000002.534348993.0000000002EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.620462893.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000009.00000002.623932235.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.623932235.0000000007130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.624127580.0000000007190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000009.00000002.624127580.0000000007190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000009.00000002.620703151.0000000004792000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.551029791.0000000003061000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000002.530452666.0000000002F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: vlc.exe PID: 5392, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: vlc.exe PID: 5392, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: vlc.exe PID: 6480, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: vlc.exe PID: 6480, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: vlc.exe PID: 7148, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: vlc.exe PID: 7148, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: vlc.exe PID: 6928, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: vlc.exe PID: 6928, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7160000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7150000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7130000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.6470000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7120000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7120000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7110000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.54f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.54f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7140000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7190000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.6960000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.70c0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.71d0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 9.2.1kn1ejwPxi.exe.7180000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: classification engineClassification label: mal100.troj.evad.winEXE@36/14@1/1
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_01
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{950dc9c6-d071-4b80-ab32-4e46986f440d}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_01
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{950dc9c6-d071-4b80-ab32-4e46986f440d}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9EB6.tmpJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9EB6.tmpJump to behavior
    Source: 1kn1ejwPxi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 1kn1ejwPxi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: 1kn1ejwPxi.exeVirustotal: Detection: 16%
    Source: 1kn1ejwPxi.exeReversingLabs: Detection: 48%
    Source: 1kn1ejwPxi.exeVirustotal: Detection: 16%
    Source: 1kn1ejwPxi.exeReversingLabs: Detection: 48%
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile read: C:\Users\user\Desktop\1kn1ejwPxi.exeJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile read: C:\Users\user\Desktop\1kn1ejwPxi.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe 'C:\Users\user\Desktop\1kn1ejwPxi.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA1D4.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe 0
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp'
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA1D4.tmp'
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe 'C:\Users\user\Desktop\1kn1ejwPxi.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA1D4.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe 0
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp'
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA1D4.tmp'
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: 1kn1ejwPxi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: 1kn1ejwPxi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: 1kn1ejwPxi.exeStatic file information: File size 1124864 > 1048576
    Source: 1kn1ejwPxi.exeStatic file information: File size 1124864 > 1048576
    Source: 1kn1ejwPxi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: 1kn1ejwPxi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FA0A4B push 8B013354h; retf
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FA1B96 push ds; retf
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_05B73D19 push edx; ret
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FA0A4B push 8B013354h; retf
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FA1B96 push ds; retf
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_05B73D19 push edx; ret
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 9_2_0545B5E0 push eax; retf
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 9_2_05450331 push ecx; ret
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 9_2_054569F8 pushad ; retf
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 9_2_054569FA push esp; retf
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 17_2_018E0A4B push 8B014454h; retf
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 17_2_05D83D19 push edx; ret
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 18_2_014A1B95 push ds; retf
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 18_2_014A0A4B push 8B014054h; retf
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_012A1B96 push ds; retf
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_012A0A4B push 8B012454h; retf
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_059B3D19 push edx; ret
    Source: 1kn1ejwPxi.exe, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 1kn1ejwPxi.exe, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: vlc.exe.0.dr, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: vlc.exe.0.dr, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 0.2.1kn1ejwPxi.exe.c00000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 0.2.1kn1ejwPxi.exe.c00000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 0.0.1kn1ejwPxi.exe.c00000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 0.0.1kn1ejwPxi.exe.c00000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 4.2.1kn1ejwPxi.exe.170000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 4.2.1kn1ejwPxi.exe.170000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 4.0.1kn1ejwPxi.exe.170000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 4.0.1kn1ejwPxi.exe.170000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 6.0.1kn1ejwPxi.exe.280000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 6.0.1kn1ejwPxi.exe.280000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 6.2.1kn1ejwPxi.exe.280000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 6.2.1kn1ejwPxi.exe.280000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 8.2.1kn1ejwPxi.exe.240000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 8.2.1kn1ejwPxi.exe.240000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 8.0.1kn1ejwPxi.exe.240000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 8.0.1kn1ejwPxi.exe.240000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: dhcpmon.exe.9.dr, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: dhcpmon.exe.9.dr, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 9.0.1kn1ejwPxi.exe.a20000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 9.0.1kn1ejwPxi.exe.a20000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 9.2.1kn1ejwPxi.exe.a20000.1.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 9.2.1kn1ejwPxi.exe.a20000.1.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 17.2.1kn1ejwPxi.exe.e30000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 17.2.1kn1ejwPxi.exe.e30000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 1kn1ejwPxi.exe, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 1kn1ejwPxi.exe, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: vlc.exe.0.dr, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: vlc.exe.0.dr, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 0.2.1kn1ejwPxi.exe.c00000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 0.2.1kn1ejwPxi.exe.c00000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 0.0.1kn1ejwPxi.exe.c00000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 0.0.1kn1ejwPxi.exe.c00000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 4.2.1kn1ejwPxi.exe.170000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 4.2.1kn1ejwPxi.exe.170000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 4.0.1kn1ejwPxi.exe.170000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 4.0.1kn1ejwPxi.exe.170000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 6.0.1kn1ejwPxi.exe.280000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 6.0.1kn1ejwPxi.exe.280000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 6.2.1kn1ejwPxi.exe.280000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 6.2.1kn1ejwPxi.exe.280000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 8.2.1kn1ejwPxi.exe.240000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 8.2.1kn1ejwPxi.exe.240000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 8.0.1kn1ejwPxi.exe.240000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 8.0.1kn1ejwPxi.exe.240000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: dhcpmon.exe.9.dr, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: dhcpmon.exe.9.dr, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 9.0.1kn1ejwPxi.exe.a20000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 9.0.1kn1ejwPxi.exe.a20000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 9.2.1kn1ejwPxi.exe.a20000.1.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: 9.2.1kn1ejwPxi.exe.a20000.1.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 17.2.1kn1ejwPxi.exe.e30000.0.unpack, P3pfIOHn5nE3mkwe1lC/U0rnRTHFWUX7U6I8OtH.csHigh entropy of concatenated method names: '.cctor', 'K0IOpSohr', 'vi9sJiiia', 'L9MLuYuB6', 'L1VEcZe0p', 'Awkdn3QoP', 'oVRhnuF2M', 'xlfqA79i6rqWvXBJwmA', 'mi1DPt9GTp6VZ0CxbUd', 'NRs4r698ASoJ2LxcNrt'
    Source: 17.2.1kn1ejwPxi.exe.e30000.0.unpack, eTbn77UUa09imqTCunW/MZyEbJUHkhb6WWUVxTa.csHigh entropy of concatenated method names: '.cctor', 'agWHyQyieY', 'iUIHgsETj0', 'pssHKo4LgT', 'PjGHR1QPeE', 'XqV0bnDrTqtQIcTlXsQ', 'KAYMliDw1FSaJH9kO9S', 'W886u9DmP8qVmiDI9nE', 'CGBYPcDaHSQPxubCn3i', 'kB5n5rDTS62jVFvCYPF'
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to dropped file
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp'
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp'
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATAJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATAJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile opened: C:\Users\user\Desktop\1kn1ejwPxi.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeFile opened: C:\Users\user\Desktop\1kn1ejwPxi.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: vlc.exeBinary or memory string: SBIEDLL.DLL
    Source: 1kn1ejwPxi.exe, 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, 1kn1ejwPxi.exe, 00000011.00000002.511162363.00000000059E0000.00000004.00000001.sdmp, vlc.exe, 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.541042731.0000000004BC0000.00000004.00000001.sdmp, vlc.exe, 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEADKCREATEOBJECT("WSCRIPT.SHELL").RUN """
    Source: vlc.exeBinary or memory string: SBIEDLL.DLL
    Source: 1kn1ejwPxi.exe, 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, 1kn1ejwPxi.exe, 00000011.00000002.511162363.00000000059E0000.00000004.00000001.sdmp, vlc.exe, 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.541042731.0000000004BC0000.00000004.00000001.sdmp, vlc.exe, 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEADKCREATEOBJECT("WSCRIPT.SHELL").RUN """
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWindow / User API: threadDelayed 5016
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWindow / User API: threadDelayed 4234
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWindow / User API: foregroundWindowGot 526
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWindow / User API: foregroundWindowGot 432
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWindow / User API: threadDelayed 5016
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWindow / User API: threadDelayed 4234
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWindow / User API: foregroundWindowGot 526
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWindow / User API: foregroundWindowGot 432
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exe TID: 7120Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exe TID: 4860Thread sleep time: -16602069666338586s >= -30000s
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exe TID: 7092Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 5764Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5444Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3512Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 4404Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exe TID: 5456Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 5560Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5612Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5788Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6460Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exe TID: 7120Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exe TID: 4860Thread sleep time: -16602069666338586s >= -30000s
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exe TID: 7092Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 5764Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5444Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3512Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 4404Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exe TID: 5456Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 5560Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5612Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5788Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6460Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
    Source: vlc.exe, 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: vlc.exe, 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeMemory allocated: page read and write | page guard
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeMemory written: C:\Users\user\Desktop\1kn1ejwPxi.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeMemory written: C:\Users\user\Desktop\1kn1ejwPxi.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeMemory written: C:\Users\user\Desktop\1kn1ejwPxi.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeMemory written: C:\Users\user\Desktop\1kn1ejwPxi.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp'
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA1D4.tmp'
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp'
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA1D4.tmp'
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeProcess created: C:\Users\user\Desktop\1kn1ejwPxi.exe C:\Users\user\Desktop\1kn1ejwPxi.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617736721.0000000003034000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$(lP&
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617846916.0000000003069000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: 1kn1ejwPxi.exe, 00000009.00000002.615924987.0000000001950000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: 1kn1ejwPxi.exe, 00000009.00000002.615924987.0000000001950000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: 1kn1ejwPxi.exe, 00000009.00000002.623181384.000000000680C000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
    Source: 1kn1ejwPxi.exe, 00000009.00000002.615924987.0000000001950000.00000002.00000001.sdmpBinary or memory string: &Program Manager
    Source: 1kn1ejwPxi.exe, 00000009.00000002.622940954.00000000065CD000.00000004.00000001.sdmpBinary or memory string: Program Managerram ManagerG
    Source: 1kn1ejwPxi.exe, 00000009.00000002.615924987.0000000001950000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: 1kn1ejwPxi.exe, 00000009.00000002.624464496.000000000753E000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617736721.0000000003034000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$(lP&
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617846916.0000000003069000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: 1kn1ejwPxi.exe, 00000009.00000002.615924987.0000000001950000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: 1kn1ejwPxi.exe, 00000009.00000002.615924987.0000000001950000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: 1kn1ejwPxi.exe, 00000009.00000002.623181384.000000000680C000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
    Source: 1kn1ejwPxi.exe, 00000009.00000002.615924987.0000000001950000.00000002.00000001.sdmpBinary or memory string: &Program Manager
    Source: 1kn1ejwPxi.exe, 00000009.00000002.622940954.00000000065CD000.00000004.00000001.sdmpBinary or memory string: Program Managerram ManagerG
    Source: 1kn1ejwPxi.exe, 00000009.00000002.615924987.0000000001950000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: 1kn1ejwPxi.exe, 00000009.00000002.624464496.000000000753E000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Users\user\Desktop\1kn1ejwPxi.exe VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Users\user\Desktop\1kn1ejwPxi.exe VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Users\user\Desktop\1kn1ejwPxi.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Users\user\Desktop\1kn1ejwPxi.exe VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Users\user\Desktop\1kn1ejwPxi.exe VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Users\user\Desktop\1kn1ejwPxi.exe VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Users\user\Desktop\1kn1ejwPxi.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Users\user\Desktop\1kn1ejwPxi.exe VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FAFC80 GetUserNameA,
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeCode function: 0_2_02FAFC80 GetUserNameA,
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\1kn1ejwPxi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.616627338.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.569706588.0000000003061000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.621144468.0000000004AC4000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.534348993.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620462893.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620703151.0000000004792000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.551029791.0000000003061000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000002.530452666.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6480, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 7148, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6928, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
    Source: Yara matchFile source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.6470000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.6470000.6.unpack, type: UNPACKEDPE

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: 1kn1ejwPxi.exe, 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: 1kn1ejwPxi.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: 1kn1ejwPxi.exe, 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: 1kn1ejwPxi.exe, 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vlc.exe, 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vlc.exe, 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: 1kn1ejwPxi.exe, 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: 1kn1ejwPxi.exe, 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: vlc.exe, 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vlc.exe, 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: vlc.exe, 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vlc.exe, 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: 1kn1ejwPxi.exe, 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: 1kn1ejwPxi.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: 1kn1ejwPxi.exe, 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: 1kn1ejwPxi.exe, 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: 1kn1ejwPxi.exe, 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vlc.exe, 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vlc.exe, 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: 1kn1ejwPxi.exe, 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: 1kn1ejwPxi.exe, 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: vlc.exe, 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vlc.exe, 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: vlc.exe, 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vlc.exe, 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.616627338.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.569706588.0000000003061000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.621144468.0000000004AC4000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001C.00000002.534348993.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620462893.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.620703151.0000000004792000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.551029791.0000000003061000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000002.530452666.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 5340, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5568, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 6632, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6480, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 7064, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 1kn1ejwPxi.exe PID: 6516, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 7148, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6928, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
    Source: Yara matchFile source: 25.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.6470000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 35.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 27.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.1kn1ejwPxi.exe.6470000.6.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Disable or Modify Tools1Input Capture21Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder11Scheduled Task/Job1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder11Obfuscated Files or Information1Security Account ManagerSystem Information Discovery12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSSecurity Software Discovery211Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 319525 Sample: 1kn1ejwPxi.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 11 other signatures 2->71 8 1kn1ejwPxi.exe 1 4 2->8         started        12 vlc.exe 1 2->12         started        14 vlc.exe 2->14         started        16 3 other processes 2->16 process3 file4 55 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 8->55 dropped 57 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 8->57 dropped 59 C:\Users\user\AppData\...\1kn1ejwPxi.exe.log, ASCII 8->59 dropped 75 Injects a PE file into a foreign processes 8->75 18 1kn1ejwPxi.exe 1 15 8->18         started        23 1kn1ejwPxi.exe 8->23         started        25 1kn1ejwPxi.exe 8->25         started        27 1kn1ejwPxi.exe 8->27         started        61 C:\Users\user\AppData\Local\...\vlc.exe.log, ASCII 12->61 dropped 29 vlc.exe 12->29         started        31 vlc.exe 12->31         started        35 3 other processes 14->35 33 1kn1ejwPxi.exe 16->33         started        37 2 other processes 16->37 signatures5 process6 dnsIp7 63 atacoinc8897.hopto.org 185.140.53.132, 2008, 49740 DAVID_CRAIGGG Sweden 18->63 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->47 dropped 49 C:\Users\user\AppData\Roaming\...\run.dat, data 18->49 dropped 51 C:\Users\user\AppData\Local\...\tmp9EB6.tmp, XML 18->51 dropped 53 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->53 dropped 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->73 39 schtasks.exe 1 18->39         started        41 schtasks.exe 1 18->41         started        file8 signatures9 process10 process11 43 conhost.exe 39->43         started        45 conhost.exe 41->45         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    1kn1ejwPxi.exe17%VirustotalBrowse
    1kn1ejwPxi.exe48%ReversingLabsByteCode-MSIL.Trojan.Injuke
    1kn1ejwPxi.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe17%VirustotalBrowse
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe48%ReversingLabsByteCode-MSIL.Trojan.Injuke
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe17%VirustotalBrowse
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe48%ReversingLabsByteCode-MSIL.Trojan.Injuke

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    25.2.1kn1ejwPxi.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    35.2.vlc.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    27.2.vlc.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    28.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    30.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    9.2.1kn1ejwPxi.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

    Domains

    SourceDetectionScannerLabelLink
    atacoinc8897.hopto.org6%VirustotalBrowse

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    atacoinc8897.hopto.org
    		185.140.53.132
    		truetrueunknown

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    185.140.53.132
    		unknownSweden
    		209623DAVID_CRAIGGGtrue

    General Information

    Joe Sandbox Version:31.0.0 Red Diamond
    Analysis ID:319525
    Start date:18.11.2020
    Start time:11:59:23
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 13m 21s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:1kn1ejwPxi.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:38
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal100.troj.evad.winEXE@36/14@1/1
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 1.8% (good quality ratio 1.1%)
    • Quality average: 45.3%
    • Quality standard deviation: 40.9%
    HCA Information:
    • Successful, ratio: 84%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    Warnings:
    Show All
    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
    • TCP Packets have been reduced to 100
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 168.61.161.212, 51.104.144.132, 52.155.217.156, 20.54.26.129, 8.248.113.254, 8.253.95.120, 67.26.137.254, 67.27.234.126, 67.27.233.254, 52.242.211.89, 92.122.213.194, 92.122.213.247, 23.210.248.85
    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, americas1.notify.windows.com.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, dm3p.wns.notify.windows.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net
    • Report creation exceeded maximum time and may have missing disassembly code information.
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size getting too big, too many NtAllocateVirtualMemory calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    12:01:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
    12:01:07Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\1kn1ejwPxi.exe" s>$(Arg0)
    12:01:08API Interceptor707x Sleep call for process: 1kn1ejwPxi.exe modified
    12:01:09AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    12:01:10Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
    12:01:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    185.140.53.1327iatifHQEp.exeGet hashmaliciousBrowse
      Do43p0ghpz.exeGet hashmaliciousBrowse
        zWKtabs92B.exeGet hashmaliciousBrowse
          0076364_00533MXS2.jarGet hashmaliciousBrowse
            Atlas Home Products Inc RFQ_pdf.jarGet hashmaliciousBrowse
              Payment Advice Hsbc_pdf.jarGet hashmaliciousBrowse
                NOTIFICA DI ARRIVO DHL_PDF.jarGet hashmaliciousBrowse
                  NOTIFICA DI ARRIVO DHL_PDF.jarGet hashmaliciousBrowse
                    BOLDROCCHI SRL ITALY QUOTATION REQUEST_PDF.jarGet hashmaliciousBrowse
                      REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                        REQUEST FOR QUOTATION_pdf.jarGet hashmaliciousBrowse
                          REQUEST FOR QUOTATION_pdf.jarGet hashmaliciousBrowse
                            Yasuda Kogyo Thailand Co Ltd Request For Quotation_pdf.jarGet hashmaliciousBrowse
                              Yasuda Kogyo Thailand Co Ltd Request For Quotation_pdf.jarGet hashmaliciousBrowse
                                Ziraat Bankasi Swift_pdf.jarGet hashmaliciousBrowse
                                  YI SHNUFA REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                                    YI SHNUFA REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                                      TyRSrOojgV.exeGet hashmaliciousBrowse
                                        2KGU6Ue1fD.exeGet hashmaliciousBrowse
                                          DvYWRCSr5w.exeGet hashmaliciousBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            atacoinc8897.hopto.org7iatifHQEp.exeGet hashmaliciousBrowse
                                            • 185.140.53.132
                                            Do43p0ghpz.exeGet hashmaliciousBrowse
                                            • 185.140.53.132
                                            zWKtabs92B.exeGet hashmaliciousBrowse
                                            • 185.140.53.132
                                            wIeFid8p7Q.exeGet hashmaliciousBrowse
                                            • 103.125.189.164
                                            gSTnUDrWFe.exeGet hashmaliciousBrowse
                                            • 185.244.26.199
                                            FpK385nmHk.exeGet hashmaliciousBrowse
                                            • 185.244.26.199
                                            7sbXVpHq6E.exeGet hashmaliciousBrowse
                                            • 185.244.26.199
                                            Z08LsyTAN6.exeGet hashmaliciousBrowse
                                            • 103.125.189.164
                                            oIgeDSRrq4.exeGet hashmaliciousBrowse
                                            • 23.105.131.174
                                            OGKH8KZq2Z.exeGet hashmaliciousBrowse
                                            • 23.105.131.174
                                            INVOICE.docGet hashmaliciousBrowse
                                            • 23.105.131.174

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            DAVID_CRAIGGGD6vy84I7rJ.exeGet hashmaliciousBrowse
                                            • 185.140.53.149
                                            7iatifHQEp.exeGet hashmaliciousBrowse
                                            • 185.140.53.132
                                            Sbext4ZNBq.exeGet hashmaliciousBrowse
                                            • 185.140.53.197
                                            xEdiPz1bC3.exeGet hashmaliciousBrowse
                                            • 185.140.53.234
                                            7D1wvBrRib.exeGet hashmaliciousBrowse
                                            • 185.140.53.234
                                            O8LDCTOK07.exeGet hashmaliciousBrowse
                                            • 185.140.53.233
                                            aE78QTkV5H.exeGet hashmaliciousBrowse
                                            • 185.244.30.98
                                            DHL Shipment Notice of Arrival AWB 8032697940773.jsGet hashmaliciousBrowse
                                            • 185.165.153.158
                                            ORDER-#00654.doc.....exeGet hashmaliciousBrowse
                                            • 185.165.153.116
                                            SMJshb9rCD.exeGet hashmaliciousBrowse
                                            • 185.140.53.154
                                            vUQV0nqjYx.exeGet hashmaliciousBrowse
                                            • 185.140.53.182
                                            Do43p0ghpz.exeGet hashmaliciousBrowse
                                            • 185.140.53.132
                                            DHL ShipmentDHL Shipment 237590.pdf.exeGet hashmaliciousBrowse
                                            • 185.140.53.207
                                            7GAi7ZFQz8.exeGet hashmaliciousBrowse
                                            • 185.165.153.116
                                            KL0DeoXZFx.dllGet hashmaliciousBrowse
                                            • 91.193.75.78
                                            C1jkp1o3Vl.dllGet hashmaliciousBrowse
                                            • 185.140.53.152
                                            fYRqcuLMYk.exeGet hashmaliciousBrowse
                                            • 185.140.53.137
                                            02oBhZg39b.exeGet hashmaliciousBrowse
                                            • 185.244.30.112
                                            7crYMLdmCL.exeGet hashmaliciousBrowse
                                            • 185.140.53.234
                                            Sw4rkFUNJt.exeGet hashmaliciousBrowse
                                            • 185.140.53.137

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):1124864
                                            Entropy (8bit):5.014957066819657
                                            Encrypted:false
                                            SSDEEP:24576:9tIuv5vRwaAQmDmHKmbQPVU7wKFGhFFfalCb:7Cb
                                            MD5:D4DC21771AF067F1A4E1BE14A06D9628
                                            SHA1:4ECEB759E8CE69E05BF0D4F634273AE9768B5561
                                            SHA-256:6E6132E3F3BC119ADAC878BA65475B581698E8DD7D2169F984BB5EB232F6B3C6
                                            SHA-512:94503DE5B1ECDE76A041ABC92BEA16D6B950FA930221DC6D03909E0BA9A5404EC8D005CCDE96A15AAA1EECFA7B7EE7A736FED18E87C6A9CE95100D3C08733A95
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Virustotal, Detection: 17%, Browse
                                            • Antivirus: ReversingLabs, Detection: 48%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.....................n........... ........@.. ....................................@.....................................K........k...................`....................................................... ............... ..H............text....... ...................... ..`.rsrc....k.......l..................@..@.reloc.......`.......(..............@..B........................H.......p...........*....)..m............................................0..~........(.... .....:....&8....8........E........8.......:/...&&8.....(....o.....:&...&&8....8....8....*8....}....8....8....}....8.......0..........8g.......E........8....8h...8.......@....8P...*........:....&8.....(....8....8.... ....(....9....& ....8.....{.....:....&8.....8........;....8....8......8y...........0..5.......0............{.....:a...&85.......E............................5...E...8......}
                                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview: [ZoneTransfer]....ZoneId=0
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1kn1ejwPxi.exe.log
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):425
                                            Entropy (8bit):5.340009400190196
                                            Encrypted:false
                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                            MD5:CC144808DBAF00E03294347EADC8E779
                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                            Malicious:true
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):425
                                            Entropy (8bit):5.340009400190196
                                            Encrypted:false
                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                            MD5:CC144808DBAF00E03294347EADC8E779
                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log
                                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):425
                                            Entropy (8bit):5.340009400190196
                                            Encrypted:false
                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                            MD5:CC144808DBAF00E03294347EADC8E779
                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                            Malicious:true
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                            C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1303
                                            Entropy (8bit):5.097952448531751
                                            Encrypted:false
                                            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0VrCxtn:cbk4oL600QydbQxIYODOLedq3OCj
                                            MD5:DEB3C4FE3C73644F4693F8CD3F075ED1
                                            SHA1:B17C69EE16AEFCACDC3210BFBF0DC3AA20774590
                                            SHA-256:8BF64C6CA969DC068BFAC950805FE4E5916B1943094E4A1D3779EE98984EE2F4
                                            SHA-512:A2695226D6C97C635FA7972E0E94A3266F4E85C82FA9C5ECD01216F0123DBE04765024812DB87EBFA3854D32804D7EFEB92ABB030A22EB9136201230D5F7E13F
                                            Malicious:true
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                            C:\Users\user\AppData\Local\Temp\tmpA1D4.tmp
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1310
                                            Entropy (8bit):5.109425792877704
                                            Encrypted:false
                                            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                            MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                            SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                            SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                            SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                            Malicious:false
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):232
                                            Entropy (8bit):7.089541637477408
                                            Encrypted:false
                                            SSDEEP:3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
                                            MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
                                            SHA1:76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
                                            SHA-256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
                                            SHA-512:93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
                                            Malicious:false
                                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8
                                            Entropy (8bit):3.0
                                            Encrypted:false
                                            SSDEEP:3:wyt:w+
                                            MD5:80F3BBD5E455819033C15E691DE356B9
                                            SHA1:75EA88C2C4A5743BA493C63C581A954F1D600FD7
                                            SHA-256:89DCB57B299D5227C530A791E6D8CDFD25E3C340050A6D945DF309243EF7C0B6
                                            SHA-512:2C6BCC416B2A54ED05DED91253CA1BCC36C345AF3B7714665B82B8C7A93CE77BDD9E8BE94871F12D445C2B697F08F4BF37E0D4B07F7E3D5DF8FFC1B69A45D86E
                                            Malicious:true
                                            Preview: .....H
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):40
                                            Entropy (8bit):5.153055907333276
                                            Encrypted:false
                                            SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                            MD5:4E5E92E2369688041CC82EF9650EDED2
                                            SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                            SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                            SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                            Malicious:false
                                            Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):327768
                                            Entropy (8bit):7.999367066417797
                                            Encrypted:true
                                            SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
                                            MD5:2E52F446105FBF828E63CF808B721F9C
                                            SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
                                            SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
                                            SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
                                            Malicious:false
                                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):40
                                            Entropy (8bit):4.034183719779189
                                            Encrypted:false
                                            SSDEEP:3:oNN2+WUdNdA:oNN2RUK
                                            MD5:8B56B1D61728357BA8AA5BEC389367D9
                                            SHA1:830F108D36C01F2E425FE4CFBE582299EF9D6A6C
                                            SHA-256:B2087C20A7C51D5BE7AF38C145426D6622483EED3B864A9594234F4E01FB42C3
                                            SHA-512:0A9318BDCB81E07B52C4C92E263B9CB4DBD4CCFC98570D40183DA1EA77C7BD2C535B9D07D0125D4F4935B1685AFBC0F83B146842E1DD3C3EF193BDA421C9106F
                                            Malicious:false
                                            Preview: C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):1124864
                                            Entropy (8bit):5.014957066819657
                                            Encrypted:false
                                            SSDEEP:24576:9tIuv5vRwaAQmDmHKmbQPVU7wKFGhFFfalCb:7Cb
                                            MD5:D4DC21771AF067F1A4E1BE14A06D9628
                                            SHA1:4ECEB759E8CE69E05BF0D4F634273AE9768B5561
                                            SHA-256:6E6132E3F3BC119ADAC878BA65475B581698E8DD7D2169F984BB5EB232F6B3C6
                                            SHA-512:94503DE5B1ECDE76A041ABC92BEA16D6B950FA930221DC6D03909E0BA9A5404EC8D005CCDE96A15AAA1EECFA7B7EE7A736FED18E87C6A9CE95100D3C08733A95
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Virustotal, Detection: 17%, Browse
                                            • Antivirus: ReversingLabs, Detection: 48%
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.....................n........... ........@.. ....................................@.....................................K........k...................`....................................................... ............... ..H............text....... ...................... ..`.rsrc....k.......l..................@..@.reloc.......`.......(..............@..B........................H.......p...........*....)..m............................................0..~........(.... .....:....&8....8........E........8.......:/...&&8.....(....o.....:&...&&8....8....8....*8....}....8....8....}....8.......0..........8g.......E........8....8h...8.......@....8P...*........:....&8.....(....8....8.... ....(....9....& ....8.....{.....:....&8.....8........;....8....8......8y...........0..5.......0............{.....:a...&85.......E............................5...E...8......}
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview: [ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):5.014957066819657
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:1kn1ejwPxi.exe
                                            File size:1124864
                                            MD5:d4dc21771af067f1a4e1be14a06d9628
                                            SHA1:4eceb759e8ce69e05bf0d4f634273ae9768b5561
                                            SHA256:6e6132e3f3bc119adac878ba65475b581698e8dd7d2169f984bb5eb232f6b3c6
                                            SHA512:94503de5b1ecde76a041abc92bea16d6b950fa930221dc6d03909e0ba9a5404ec8d005ccde96a15aaa1eecfa7b7ee7a736fed18e87c6a9ce95100d3c08733a95
                                            SSDEEP:24576:9tIuv5vRwaAQmDmHKmbQPVU7wKFGhFFfalCb:7Cb
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.....................n........... ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:74f2dbb284c2e2ee

                                            Static PE Info

                                            General

                                            Entrypoint:0x4cd8de
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x5FB3FA82 [Tue Nov 17 16:29:54 2020 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xcd8900x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000x46be4.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1160000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xcb8e40xcba00False0.430274996163data4.32205844238IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0xce0000x46be40x46c00False0.198180073984data4.61906006707IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x1160000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0xce1f00x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0x1102180x25a8data
                                            RT_ICON0x1127c00x10a8data
                                            RT_ICON0x1138680x988data
                                            RT_ICON0x1141f00x468GLS_BINARY_LSB_FIRST
                                            RT_GROUP_ICON0x1146580x4cdata
                                            RT_VERSION0x1146a40x33cdata
                                            RT_MANIFEST0x1149e00x204XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyright(c) 2020 Skype and/or Microsoft
                                            Assembly Version8.61.0.87
                                            InternalNamePOP.exe
                                            FileVersion8.61.0.87
                                            CompanyNameSkype Technologies S.A.
                                            CommentsSkype Setup
                                            ProductNameSkype
                                            ProductVersion8.61.0.87
                                            FileDescriptionSkype Setup
                                            OriginalFilenamePOP.exe

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 18, 2020 12:01:02.598510027 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:02.816780090 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:02.817050934 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:03.231194019 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:03.461755991 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:03.471434116 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:03.689759016 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:03.689866066 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:03.959105015 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:03.959363937 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.228116989 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.247689009 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.247811079 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.247853041 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.247919083 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.248080015 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.248703957 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.468553066 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.468595028 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.468792915 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.468837023 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.468871117 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.469089031 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.469877958 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.469913960 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.469935894 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.470062017 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.470230103 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.470335960 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.695698023 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.695741892 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.695765972 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.695813894 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.695837975 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.695863962 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.695887089 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.695909023 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.695913076 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.695934057 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.695943117 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.695950985 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.695961952 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.695986986 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.696012974 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.696019888 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.696044922 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.696062088 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.696070910 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.696095943 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.696118116 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.696135998 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.696202040 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.918458939 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.918520927 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.918543100 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.918562889 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.918586969 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.918608904 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.918623924 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.918731928 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.918756008 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.918770075 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.918781042 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.918803930 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.918870926 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.918880939 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.919102907 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919128895 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919152021 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919173002 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919197083 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919219017 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919229031 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.919243097 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919267893 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919290066 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919290066 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.919315100 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919337988 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919339895 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.919363976 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919385910 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919394016 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.919409037 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919431925 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919456005 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919460058 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.919481039 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919485092 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.919504881 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919506073 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.919554949 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919591904 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919601917 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:04.919647932 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:04.919677973 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:05.063699961 CET497402008192.168.2.6185.140.53.132
                                            Nov 18, 2020 12:01:05.136939049 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:05.136982918 CET200849740185.140.53.132192.168.2.6
                                            Nov 18, 2020 12:01:05.137006998 CET200849740185.140.53.132192.168.2.6

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 18, 2020 12:00:13.248363018 CET5833653192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:13.283672094 CET53583368.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:14.335647106 CET5378153192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:14.362818956 CET53537818.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:15.164990902 CET5406453192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:15.192244053 CET53540648.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:16.190414906 CET5281153192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:16.226067066 CET53528118.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:22.570188046 CET5529953192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:22.605942965 CET53552998.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:23.417960882 CET6374553192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:23.445033073 CET53637458.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:25.078023911 CET5005553192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:25.105062008 CET53500558.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:25.993100882 CET6137453192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:26.020191908 CET53613748.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:26.873503923 CET5033953192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:26.900569916 CET53503398.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:40.930696011 CET6330753192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:40.957848072 CET53633078.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:58.304928064 CET4969453192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:58.340606928 CET53496948.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:58.967941999 CET5498253192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:59.003626108 CET53549828.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:59.488626957 CET5001053192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:59.524243116 CET53500108.8.8.8192.168.2.6
                                            Nov 18, 2020 12:00:59.890418053 CET6371853192.168.2.68.8.8.8
                                            Nov 18, 2020 12:00:59.926162004 CET53637188.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:00.538958073 CET6211653192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:00.566036940 CET53621168.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:00.776721954 CET6381653192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:00.803774118 CET53638168.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:01.035347939 CET5501453192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:01.070774078 CET53550148.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:01.243684053 CET6220853192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:01.270833015 CET53622088.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:01.667543888 CET5757453192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:01.694413900 CET53575748.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:02.519939899 CET5181853192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:02.559106112 CET53518188.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:03.119750977 CET5662853192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:03.157656908 CET53566288.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:04.055767059 CET6077853192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:04.091257095 CET53607788.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:04.437027931 CET5379953192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:04.477509022 CET53537998.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:05.111198902 CET5468353192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:05.151900053 CET53546838.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:16.582643032 CET5932953192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:16.619678020 CET53593298.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:44.567858934 CET6402153192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:44.603383064 CET53640218.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:49.293688059 CET5612953192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:49.320830107 CET53561298.8.8.8192.168.2.6
                                            Nov 18, 2020 12:01:52.468095064 CET5817753192.168.2.68.8.8.8
                                            Nov 18, 2020 12:01:52.495204926 CET53581778.8.8.8192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Nov 18, 2020 12:01:02.519939899 CET192.168.2.68.8.8.80xb57fStandard query (0)atacoinc8897.hopto.orgA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Nov 18, 2020 12:01:02.559106112 CET8.8.8.8192.168.2.60xb57fNo error (0)atacoinc8897.hopto.org185.140.53.132A (IP address)IN (0x0001)

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: 1kn1ejwPxi.exe PID: 7064 Parent PID: 244

                                            General

                                            Start time:12:00:30
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\1kn1ejwPxi.exe'
                                            Imagebase:0xc00000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.428049069.00000000042C5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.427594239.0000000004201000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Analysis Process: 1kn1ejwPxi.exe PID: 5748 Parent PID: 7064

                                            General

                                            Start time:12:01:01
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Imagebase:0x170000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low

                                            Analysis Process: 1kn1ejwPxi.exe PID: 5844 Parent PID: 7064

                                            General

                                            Start time:12:01:02
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Imagebase:0x280000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low

                                            Analysis Process: 1kn1ejwPxi.exe PID: 6592 Parent PID: 7064

                                            General

                                            Start time:12:01:02
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Imagebase:0x240000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low

                                            Analysis Process: 1kn1ejwPxi.exe PID: 6516 Parent PID: 7064

                                            General

                                            Start time:12:01:03
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Imagebase:0xa20000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.624204849.00000000071D0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.624204849.00000000071D0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.624040800.0000000007160000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.624040800.0000000007160000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.622024902.00000000054F0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.622024902.00000000054F0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.624092570.0000000007180000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.624092570.0000000007180000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.623866439.0000000007110000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.623866439.0000000007110000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.613039388.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.617006298.0000000002F2D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.621027784.00000000049D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.620931619.0000000004963000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.622854804.0000000006470000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.623238450.0000000006960000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.623238450.0000000006960000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.623644523.00000000070C0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.623644523.00000000070C0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.623826686.0000000007100000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.623826686.0000000007100000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.616627338.0000000002EC1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.621144468.0000000004AC4000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.621144468.0000000004AC4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: NanoCore, Description: unknown, Source: 00000009.00000003.611686179.0000000004AE5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.624006580.0000000007150000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.624006580.0000000007150000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.623969104.0000000007140000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.623969104.0000000007140000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.623897987.0000000007120000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.623897987.0000000007120000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.620462893.0000000003EC1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.620462893.0000000003EC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.623932235.0000000007130000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.623932235.0000000007130000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.624127580.0000000007190000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.624127580.0000000007190000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.620703151.0000000004792000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.620703151.0000000004792000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Analysis Process: schtasks.exe PID: 6672 Parent PID: 6516

                                            General

                                            Start time:12:01:06
                                            Start date:18/11/2020
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9EB6.tmp'
                                            Imagebase:0xf50000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 6932 Parent PID: 6672

                                            General

                                            Start time:12:01:07
                                            Start date:18/11/2020
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff61de10000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: schtasks.exe PID: 6644 Parent PID: 6516

                                            General

                                            Start time:12:01:07
                                            Start date:18/11/2020
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA1D4.tmp'
                                            Imagebase:0xf50000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 6636 Parent PID: 6644

                                            General

                                            Start time:12:01:08
                                            Start date:18/11/2020
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff61de10000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: 1kn1ejwPxi.exe PID: 6632 Parent PID: 936

                                            General

                                            Start time:12:01:08
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\1kn1ejwPxi.exe 0
                                            Imagebase:0xe30000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.507305444.0000000004345000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Analysis Process: vlc.exe PID: 7148 Parent PID: 3440

                                            General

                                            Start time:12:01:10
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                            Imagebase:0xc20000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.509910009.00000000040E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.510414453.00000000041A5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 17%, Virustotal, Browse
                                            • Detection: 48%, ReversingLabs
                                            Reputation:low

                                            Analysis Process: dhcpmon.exe PID: 5728 Parent PID: 936

                                            General

                                            Start time:12:01:10
                                            Start date:18/11/2020
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                            Imagebase:0xb80000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.514905304.0000000004185000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 17%, Virustotal, Browse
                                            • Detection: 48%, ReversingLabs
                                            Reputation:low

                                            Analysis Process: dhcpmon.exe PID: 6212 Parent PID: 3440

                                            General

                                            Start time:12:01:18
                                            Start date:18/11/2020
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                            Imagebase:0x140000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.537565440.0000000003685000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Analysis Process: vlc.exe PID: 6480 Parent PID: 3440

                                            General

                                            Start time:12:01:26
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                            Imagebase:0xbe0000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.552753748.0000000004195000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.552372687.00000000040D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Analysis Process: 1kn1ejwPxi.exe PID: 5340 Parent PID: 6632

                                            General

                                            Start time:12:01:40
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\1kn1ejwPxi.exe
                                            Imagebase:0xf50000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.517433157.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.519814493.0000000003311000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.520065528.0000000004319000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Analysis Process: vlc.exe PID: 5364 Parent PID: 7148

                                            General

                                            Start time:12:01:40
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Imagebase:0x1f0000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low

                                            Analysis Process: vlc.exe PID: 5392 Parent PID: 7148

                                            General

                                            Start time:12:01:41
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Imagebase:0xa50000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.530956930.0000000003F49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.521475039.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.530452666.0000000002F41000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.530452666.0000000002F41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Analysis Process: dhcpmon.exe PID: 5568 Parent PID: 5728

                                            General

                                            Start time:12:01:44
                                            Start date:18/11/2020
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Imagebase:0x9d0000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.535021401.0000000003EC9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.527634171.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.534348993.0000000002EC1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.534348993.0000000002EC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Analysis Process: dhcpmon.exe PID: 5012 Parent PID: 6212

                                            General

                                            Start time:12:01:50
                                            Start date:18/11/2020
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Imagebase:0xb60000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.546761343.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.551302539.0000000004069000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.551029791.0000000003061000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.551029791.0000000003061000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Analysis Process: vlc.exe PID: 3588 Parent PID: 6480

                                            General

                                            Start time:12:01:59
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Imagebase:0x1f0000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low

                                            Analysis Process: vlc.exe PID: 6940 Parent PID: 6480

                                            General

                                            Start time:12:02:00
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Imagebase:0x110000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low

                                            Analysis Process: vlc.exe PID: 6928 Parent PID: 6480

                                            General

                                            Start time:12:02:01
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Imagebase:0xae0000
                                            File size:1124864 bytes
                                            MD5 hash:D4DC21771AF067F1A4E1BE14A06D9628
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000023.00000002.569833415.0000000004069000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000002.569706588.0000000003061000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000023.00000002.569706588.0000000003061000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000023.00000002.567351430.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            Disassembly

                                            Code Analysis

                                            Reset < >