Loading ...

Play interactive tourEdit tour

Analysis Report 2AyWKsCvVF.exe

Overview

General Information

Sample Name:2AyWKsCvVF.exe
Analysis ID:319587
MD5:678dac5fc4c6a55f032ba40698895e6a
SHA1:8ea9541292f8e5d68948031ebcedafe04dda4a36
SHA256:78491e950a624399f497cedd25cae2231223b1bcd2f93379480b3c9edb4c6a92
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 2AyWKsCvVF.exe (PID: 6776 cmdline: 'C:\Users\user\Desktop\2AyWKsCvVF.exe' MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • 2AyWKsCvVF.exe (PID: 6448 cmdline: C:\Users\user\Desktop\2AyWKsCvVF.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
      • schtasks.exe (PID: 6924 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 7116 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8057.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 2AyWKsCvVF.exe (PID: 5644 cmdline: C:\Users\user\Desktop\2AyWKsCvVF.exe 0 MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • 2AyWKsCvVF.exe (PID: 5576 cmdline: C:\Users\user\Desktop\2AyWKsCvVF.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • 2AyWKsCvVF.exe (PID: 5716 cmdline: C:\Users\user\Desktop\2AyWKsCvVF.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • 2AyWKsCvVF.exe (PID: 4164 cmdline: C:\Users\user\Desktop\2AyWKsCvVF.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
  • dhcpmon.exe (PID: 6976 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • dhcpmon.exe (PID: 5000 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
  • vlc.exe (PID: 5720 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • vlc.exe (PID: 852 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
  • dhcpmon.exe (PID: 5400 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • dhcpmon.exe (PID: 160 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
  • vlc.exe (PID: 5452 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • vlc.exe (PID: 5372 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • vlc.exe (PID: 4608 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • vlc.exe (PID: 5504 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["192.253.246.143"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 89 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.2AyWKsCvVF.exe.5280000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        11.2.2AyWKsCvVF.exe.5280000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        29.2.2AyWKsCvVF.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        29.2.2AyWKsCvVF.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        29.2.2AyWKsCvVF.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 27 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\2AyWKsCvVF.exe, ProcessId: 6448, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\2AyWKsCvVF.exe, ParentImage: C:\Users\user\Desktop\2AyWKsCvVF.exe, ParentProcessId: 6448, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp', ProcessId: 6924

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 2AyWKsCvVF.exe.6448.11.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["192.253.246.143"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Source: 2AyWKsCvVF.exe.6448.11.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["192.253.246.143"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 26%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 22%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 22%
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 26%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 22%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 22%
          Multi AV Scanner detection for submitted fileShow sources
          Source: 2AyWKsCvVF.exeVirustotal: Detection: 26%Perma Link
          Source: 2AyWKsCvVF.exeReversingLabs: Detection: 22%
          Source: 2AyWKsCvVF.exeVirustotal: Detection: 26%Perma Link
          Source: 2AyWKsCvVF.exeReversingLabs: Detection: 22%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.475606166.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.488034927.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.452648139.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.453327422.0000000003291000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.433041265.0000000003431000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5720, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORY
          Source: Yara matchFile source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.6070000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.6070000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: 2AyWKsCvVF.exeJoe Sandbox ML: detected
          Source: 2AyWKsCvVF.exeJoe Sandbox ML: detected
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 39.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 33.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 35.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 31.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 39.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 33.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 35.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 31.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: Joe Sandbox ViewIP Address: 192.253.246.143 192.253.246.143
          Source: Joe Sandbox ViewIP Address: 192.253.246.143 192.253.246.143
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
          Source: unknownDNS traffic detected: queries for: swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu
          Source: unknownDNS traffic detected: queries for: swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFB
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma%
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comicta
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFB
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma%
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comicta
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014