Loading ...

Play interactive tourEdit tour

Analysis Report 2AyWKsCvVF.exe

Overview

General Information

Sample Name:2AyWKsCvVF.exe
Analysis ID:319587
MD5:678dac5fc4c6a55f032ba40698895e6a
SHA1:8ea9541292f8e5d68948031ebcedafe04dda4a36
SHA256:78491e950a624399f497cedd25cae2231223b1bcd2f93379480b3c9edb4c6a92
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 2AyWKsCvVF.exe (PID: 6776 cmdline: 'C:\Users\user\Desktop\2AyWKsCvVF.exe' MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • 2AyWKsCvVF.exe (PID: 6448 cmdline: C:\Users\user\Desktop\2AyWKsCvVF.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
      • schtasks.exe (PID: 6924 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 7116 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8057.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 2AyWKsCvVF.exe (PID: 5644 cmdline: C:\Users\user\Desktop\2AyWKsCvVF.exe 0 MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • 2AyWKsCvVF.exe (PID: 5576 cmdline: C:\Users\user\Desktop\2AyWKsCvVF.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • 2AyWKsCvVF.exe (PID: 5716 cmdline: C:\Users\user\Desktop\2AyWKsCvVF.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • 2AyWKsCvVF.exe (PID: 4164 cmdline: C:\Users\user\Desktop\2AyWKsCvVF.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
  • dhcpmon.exe (PID: 6976 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • dhcpmon.exe (PID: 5000 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
  • vlc.exe (PID: 5720 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • vlc.exe (PID: 852 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
  • dhcpmon.exe (PID: 5400 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • dhcpmon.exe (PID: 160 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
  • vlc.exe (PID: 5452 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • vlc.exe (PID: 5372 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • vlc.exe (PID: 4608 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
    • vlc.exe (PID: 5504 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 678DAC5FC4C6A55F032BA40698895E6A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["192.253.246.143"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 89 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.2AyWKsCvVF.exe.5280000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        11.2.2AyWKsCvVF.exe.5280000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        29.2.2AyWKsCvVF.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        29.2.2AyWKsCvVF.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        29.2.2AyWKsCvVF.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 27 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\2AyWKsCvVF.exe, ProcessId: 6448, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\2AyWKsCvVF.exe, ParentImage: C:\Users\user\Desktop\2AyWKsCvVF.exe, ParentProcessId: 6448, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp', ProcessId: 6924

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 2AyWKsCvVF.exe.6448.11.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["192.253.246.143"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Source: 2AyWKsCvVF.exe.6448.11.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["192.253.246.143"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 26%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 22%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 22%
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 26%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 22%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 22%
          Multi AV Scanner detection for submitted fileShow sources
          Source: 2AyWKsCvVF.exeVirustotal: Detection: 26%Perma Link
          Source: 2AyWKsCvVF.exeReversingLabs: Detection: 22%
          Source: 2AyWKsCvVF.exeVirustotal: Detection: 26%Perma Link
          Source: 2AyWKsCvVF.exeReversingLabs: Detection: 22%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.475606166.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.488034927.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.452648139.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.453327422.0000000003291000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.433041265.0000000003431000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5720, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORY
          Source: Yara matchFile source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.6070000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.6070000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: 2AyWKsCvVF.exeJoe Sandbox ML: detected
          Source: 2AyWKsCvVF.exeJoe Sandbox ML: detected
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 39.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 33.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 35.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 31.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 39.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 33.2.vlc.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 35.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 31.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: Joe Sandbox ViewIP Address: 192.253.246.143 192.253.246.143
          Source: Joe Sandbox ViewIP Address: 192.253.246.143 192.253.246.143
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
          Source: unknownDNS traffic detected: queries for: swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu
          Source: unknownDNS traffic detected: queries for: swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFB
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma%
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comicta
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFB
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma%
          Source: 2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comicta
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.475606166.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.488034927.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.452648139.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.453327422.0000000003291000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.433041265.0000000003431000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5720, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORY
          Source: Yara matchFile source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.6070000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.6070000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000023.00000002.475606166.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.515202171.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000027.00000002.488034927.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001F.00000002.452648139.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000021.00000002.453327422.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001D.00000002.433041265.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: vlc.exe PID: 852, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: vlc.exe PID: 852, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: vlc.exe PID: 5504, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: vlc.exe PID: 5504, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: vlc.exe PID: 5720, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: vlc.exe PID: 5720, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.2AyWKsCvVF.exe.5280000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000023.00000002.475606166.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.515202171.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000027.00000002.488034927.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001F.00000002.452648139.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000021.00000002.453327422.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001D.00000002.433041265.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: vlc.exe PID: 852, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: vlc.exe PID: 852, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: vlc.exe PID: 5504, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: vlc.exe PID: 5504, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: vlc.exe PID: 5720, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: vlc.exe PID: 5720, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.2AyWKsCvVF.exe.5280000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_00E9C284
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_00E9E888
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_00E9E898
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_07143AF0
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_07143AE0
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_0714A1F0
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_075FD478
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_075FD200
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_00E9C284
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_00E9E888
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_00E9E898
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_07143AF0
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_07143AE0
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_0714A1F0
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_075FD478
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_075FD200
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 11_2_04ECE480
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 11_2_04ECE471
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 11_2_04ECBBD4
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_0174C284
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_0174E898
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_0174E888
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_075F3AC0
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_075F3AF0
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_075FA2B0
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_0793D478
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_0793D200
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_0099C284
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_0099E898
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_0099E888
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_06B23AF0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_06B23AE2
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_06B229A0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_06B22992
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_06B2A1F0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_06F6D478
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_06F6D200
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 21_2_00A9C284
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 21_2_00A9E888
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 21_2_00A9E898
          Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 78491E950A624399F497CEDD25CAE2231223B1BCD2F93379480B3C9EDB4C6A92
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 78491E950A624399F497CEDD25CAE2231223B1BCD2F93379480B3C9EDB4C6A92
          Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 78491E950A624399F497CEDD25CAE2231223B1BCD2F93379480B3C9EDB4C6A92
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 78491E950A624399F497CEDD25CAE2231223B1BCD2F93379480B3C9EDB4C6A92
          Source: 2AyWKsCvVF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dhcpmon.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 2AyWKsCvVF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dhcpmon.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 2AyWKsCvVF.exe, 00000000.00000002.320035635.000000000056E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.323078814.0000000002B3B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.336458655.0000000007030000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXmfvlwiqxnjrxr.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.515805006.0000000005F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.505380483.000000000074E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.516486702.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000012.00000002.411804326.000000000345B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000012.00000000.330027224.0000000000D8E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXmfvlwiqxnjrxr.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000012.00000002.409030977.0000000001549000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000012.00000002.433221202.0000000007660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001B.00000000.403081755.00000000000CE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001C.00000002.404773382.00000000003CE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000000.405599512.000000000107E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.437858312.0000000005B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.431766541.00000000016DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exeBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.320035635.000000000056E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.323078814.0000000002B3B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000000.00000002.336458655.0000000007030000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXmfvlwiqxnjrxr.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.515805006.0000000005F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.505380483.000000000074E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.516486702.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000012.00000002.411804326.000000000345B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000012.00000000.330027224.0000000000D8E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXmfvlwiqxnjrxr.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000012.00000002.409030977.0000000001549000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 00000012.00000002.433221202.0000000007660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001B.00000000.403081755.00000000000CE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001C.00000002.404773382.00000000003CE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000000.405599512.000000000107E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.437858312.0000000005B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.431766541.00000000016DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2AyWKsCvVF.exe
          Source: 2AyWKsCvVF.exeBinary or memory string: OriginalFilenameABW.exe, vs 2AyWKsCvVF.exe
          Source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000023.00000002.475606166.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.515202171.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.515202171.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000027.00000002.488034927.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001F.00000002.452648139.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000021.00000002.453327422.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001D.00000002.433041265.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: vlc.exe PID: 852, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: vlc.exe PID: 852, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: vlc.exe PID: 5504, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: vlc.exe PID: 5504, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: vlc.exe PID: 5720, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: vlc.exe PID: 5720, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.2AyWKsCvVF.exe.5280000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.2AyWKsCvVF.exe.5280000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000023.00000002.475606166.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.515202171.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.515202171.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000027.00000002.488034927.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001F.00000002.452648139.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000021.00000002.453327422.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001D.00000002.433041265.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: vlc.exe PID: 852, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: vlc.exe PID: 852, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: vlc.exe PID: 5504, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: vlc.exe PID: 5504, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: vlc.exe PID: 5720, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: vlc.exe PID: 5720, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.2AyWKsCvVF.exe.5280000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.2AyWKsCvVF.exe.5280000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.2AyWKsCvVF.exe.6070000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 2AyWKsCvVF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vlc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.11.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 2AyWKsCvVF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vlc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.11.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@32/11@14/1
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3a9317bb-f4c9-498b-9bcd-6f676b5f42c8}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3a9317bb-f4c9-498b-9bcd-6f676b5f42c8}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7D39.tmpJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7D39.tmpJump to behavior
          Source: 2AyWKsCvVF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 2AyWKsCvVF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: 2AyWKsCvVF.exeVirustotal: Detection: 26%
          Source: 2AyWKsCvVF.exeReversingLabs: Detection: 22%
          Source: 2AyWKsCvVF.exeVirustotal: Detection: 26%
          Source: 2AyWKsCvVF.exeReversingLabs: Detection: 22%
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile read: C:\Users\user\Desktop\2AyWKsCvVF.exeJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile read: C:\Users\user\Desktop\2AyWKsCvVF.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe 'C:\Users\user\Desktop\2AyWKsCvVF.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8057.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp'
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8057.tmp'
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe 'C:\Users\user\Desktop\2AyWKsCvVF.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8057.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: unknownProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp'
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8057.tmp'
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: 2AyWKsCvVF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 2AyWKsCvVF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 2AyWKsCvVF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: 2AyWKsCvVF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_075F0EBA push B800005Ah; ret
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_075F3510 push ebp; retf
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_075F0EBA push B800005Ah; ret
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_075F3510 push ebp; retf
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_01748B28 pushfd ; iretd
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_0174FEC8 pushfd ; iretd
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_07933510 push ebp; retf
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 18_2_07930EBA push B800005Ah; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_04AF61B0 pushfd ; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_04AF69A0 push ecx; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_04AF6961 push ecx; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_06F60EBA push B800005Ah; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_06F63510 push ebp; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93617451115
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93617451115
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93617451115
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93617451115
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93617451115
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93617451115
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to dropped file
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to dropped file
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp'
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATAJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATAJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile opened: C:\Users\user\Desktop\2AyWKsCvVF.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeFile opened: C:\Users\user\Desktop\2AyWKsCvVF.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 2AyWKsCvVF.exe, 00000000.00000002.336458655.0000000007030000.00000004.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.443565631.00000000068F0000.00000004.00000001.sdmp, vlc.exe, 00000015.00000002.454923027.0000000006600000.00000004.00000001.sdmp, dhcpmon.exe, 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEAD
          Source: 2AyWKsCvVF.exe, 00000000.00000002.336458655.0000000007030000.00000004.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.443565631.00000000068F0000.00000004.00000001.sdmp, vlc.exe, 00000015.00000002.454923027.0000000006600000.00000004.00000001.sdmp, dhcpmon.exe, 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEAD
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeWindow / User API: threadDelayed 6333
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeWindow / User API: threadDelayed 3041
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeWindow / User API: foregroundWindowGot 479
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeWindow / User API: threadDelayed 6333
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeWindow / User API: threadDelayed 3041
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeWindow / User API: foregroundWindowGot 479
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exe TID: 6800Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exe TID: 5816Thread sleep time: -11990383647911201s >= -30000s
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exe TID: 4508Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4112Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6708Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6844Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 724Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exe TID: 5824Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4820Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 4976Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5376Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 5684Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exe TID: 6800Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exe TID: 5816Thread sleep time: -11990383647911201s >= -30000s
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exe TID: 4508Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4112Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6708Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6844Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 724Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exe TID: 5824Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4820Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 4976Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5376Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 5684Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.516486702.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: vlc.exe, 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.516486702.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.516486702.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.516486702.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.516486702.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: vlc.exe, 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.516486702.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.516486702.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.516486702.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess token adjusted: Debug
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess token adjusted: Debug
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeMemory allocated: page read and write | page guard
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeMemory written: C:\Users\user\Desktop\2AyWKsCvVF.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeMemory written: C:\Users\user\Desktop\2AyWKsCvVF.exe base: 400000 value starts with: 4D5A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeMemory written: C:\Users\user\Desktop\2AyWKsCvVF.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeMemory written: C:\Users\user\Desktop\2AyWKsCvVF.exe base: 400000 value starts with: 4D5A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp'
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8057.tmp'
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp'
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8057.tmp'
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeProcess created: C:\Users\user\Desktop\2AyWKsCvVF.exe C:\Users\user\Desktop\2AyWKsCvVF.exe
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508035618.00000000013E0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.511179981.0000000002E73000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508035618.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508035618.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508035618.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508035618.00000000013E0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.511179981.0000000002E73000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508035618.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508035618.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508035618.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Users\user\Desktop\2AyWKsCvVF.exe VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Users\user\Desktop\2AyWKsCvVF.exe VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Users\user\Desktop\2AyWKsCvVF.exe VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Users\user\Desktop\2AyWKsCvVF.exe VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Users\user\Desktop\2AyWKsCvVF.exe VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Users\user\Desktop\2AyWKsCvVF.exe VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Users\user\Desktop\2AyWKsCvVF.exe VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Users\user\Desktop\2AyWKsCvVF.exe VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_07148570 GetUserNameA,
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeCode function: 0_2_07148570 GetUserNameA,
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\2AyWKsCvVF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.475606166.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.488034927.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.452648139.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.453327422.0000000003291000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.433041265.0000000003431000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5720, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORY
          Source: Yara matchFile source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.6070000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.6070000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: 2AyWKsCvVF.exe, 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: 2AyWKsCvVF.exe, 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: vlc.exe, 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: vlc.exe, 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: vlc.exe, 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: vlc.exe, 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: vlc.exe, 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: vlc.exe, 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: 2AyWKsCvVF.exe, 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: 2AyWKsCvVF.exe, 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: 2AyWKsCvVF.exe, 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: vlc.exe, 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: vlc.exe, 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: 2AyWKsCvVF.exe, 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: vlc.exe, 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: vlc.exe, 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: vlc.exe, 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: vlc.exe, 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.475606166.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.488034927.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.452648139.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.453327422.0000000003291000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.433041265.0000000003431000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 5644, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 160, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 6448, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5000, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 4164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 5720, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6976, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2AyWKsCvVF.exe PID: 6776, type: MEMORY
          Source: Yara matchFile source: 29.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.6070000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.2AyWKsCvVF.exe.6070000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 35.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading2Input Capture11Security Software Discovery21Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder11Scheduled Task/Job1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder11Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 319587 Sample: 2AyWKsCvVF.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 62 swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu 2->62 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 10 other signatures 2->72 9 2AyWKsCvVF.exe 1 6 2->9         started        13 2AyWKsCvVF.exe 4 2->13         started        15 vlc.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 file5 56 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 9->56 dropped 58 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 9->58 dropped 60 C:\Users\user\AppData\...\2AyWKsCvVF.exe.log, ASCII 9->60 dropped 76 Injects a PE file into a foreign processes 9->76 19 2AyWKsCvVF.exe 1 12 9->19         started        24 2AyWKsCvVF.exe 13->24         started        26 2AyWKsCvVF.exe 13->26         started        28 2AyWKsCvVF.exe 13->28         started        30 vlc.exe 15->30         started        38 2 other processes 15->38 32 dhcpmon.exe 17->32         started        34 vlc.exe 17->34         started        36 dhcpmon.exe 17->36         started        signatures6 process7 dnsIp8 64 swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu 192.253.246.143, 2017, 49728, 49735 LEASEWEB-USA-NYC-11US United States 19->64 48 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->48 dropped 50 C:\Users\user\AppData\Roaming\...\run.dat, data 19->50 dropped 52 C:\Users\user\AppData\Local\...\tmp7D39.tmp, XML 19->52 dropped 54 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->54 dropped 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->74 40 schtasks.exe 1 19->40         started        42 schtasks.exe 1 19->42         started        file9 signatures10 process11 process12 44 conhost.exe 40->44         started        46 conhost.exe 42->46         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          2AyWKsCvVF.exe26%VirustotalBrowse
          2AyWKsCvVF.exe23%ReversingLabsByteCode-MSIL.Trojan.DelShad
          2AyWKsCvVF.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe26%VirustotalBrowse
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe23%ReversingLabsByteCode-MSIL.Trojan.DelShad
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe23%ReversingLabsByteCode-MSIL.Trojan.DelShad

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          29.2.2AyWKsCvVF.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          39.2.vlc.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          11.2.2AyWKsCvVF.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          33.2.vlc.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          35.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          31.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          SourceDetectionScannerLabelLink
          swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu4%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.comicta0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.fontbureau.comB.TTFB0%Avira URL Cloudsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.fontbureau.coma%0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu
          192.253.246.143
          truetrueunknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.02AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
            high
            http://www.fontbureau.com2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
              high
              http://www.fontbureau.com/designersG2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                high
                http://www.fontbureau.com/designers/?2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/bThe2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers?2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                    high
                    http://www.fontbureau.comicta2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.tiro.comvlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designersvlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                      high
                      http://www.goodfont.co.kr2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.comB.TTFB2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.coma2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.carterandcone.coml2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.sajatypeworks.com2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.typography.netD2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers/cabarga.htmlN2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cn/cThe2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/staff/dennis.htm2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://fontfabrik.com2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cn2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/frere-jones.html2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                          high
                          http://www.jiyu-kobo.co.jp/2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.galapagosdesign.com/DPlease2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers82AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                            high
                            http://www.fonts.com2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                              high
                              http://www.sandoll.co.kr2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.urwpp.deDPlease2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.zhongyicts.com.cn2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.sakkal.com2AyWKsCvVF.exe, 00000000.00000002.334338499.00000000058F0000.00000002.00000001.sdmp, 2AyWKsCvVF.exe, 00000012.00000002.426541811.0000000006060000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.440473204.0000000005570000.00000002.00000001.sdmp, vlc.exe, 00000015.00000002.447119366.0000000005500000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.467839168.0000000005B80000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.480161069.0000000005580000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.coma%2AyWKsCvVF.exe, 00000000.00000002.321022810.0000000000EE7000.00000004.00000040.sdmpfalse
                              • Avira URL Cloud: safe
                              low

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              192.253.246.143
                              unknownUnited States
                              396362LEASEWEB-USA-NYC-11UStrue

                              General Information

                              Joe Sandbox Version:31.0.0 Red Diamond
                              Analysis ID:319587
                              Start date:18.11.2020
                              Start time:13:13:26
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 13m 19s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:2AyWKsCvVF.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:40
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@32/11@14/1
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 0.6% (good quality ratio 0.5%)
                              • Quality average: 61.3%
                              • Quality standard deviation: 31%
                              HCA Information:
                              • Successful, ratio: 96%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                              • Excluded IPs from analysis (whitelisted): 40.122.171.231, 104.43.193.48, 23.210.248.85, 51.104.139.180, 8.253.204.249, 67.27.235.126, 67.27.233.126, 67.26.137.254, 67.26.75.254, 40.64.100.89, 51.103.5.159, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.104.144.132
                              • Excluded domains from analysis (whitelisted): mw1eap.displaycatalog.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, displaycatalog-uswesteap.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcolcus07.cloudapp.net
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              13:15:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
                              13:15:02Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\2AyWKsCvVF.exe" s>$(Arg0)
                              13:15:02API Interceptor675x Sleep call for process: 2AyWKsCvVF.exe modified
                              13:15:05Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                              13:15:08AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              13:15:17AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              192.253.246.143HLiw2LPA8i.rtfGet hashmaliciousBrowse
                                f3wo2FuLN6.exeGet hashmaliciousBrowse
                                  TLpMnhJmg7.exeGet hashmaliciousBrowse
                                    HDyADDoI3I.exeGet hashmaliciousBrowse
                                      3NWyBfF98R.exeGet hashmaliciousBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euHLiw2LPA8i.rtfGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        f3wo2FuLN6.exeGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        SecuriteInfo.com.Trojan.DownLoader35.34609.25775.exeGet hashmaliciousBrowse
                                        • 192.253.246.138
                                        Payment_Order_20201111.xlsxGet hashmaliciousBrowse
                                        • 192.253.246.138
                                        TLpMnhJmg7.exeGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        HDyADDoI3I.exeGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        S21Ji2TNug.exeGet hashmaliciousBrowse
                                        • 192.253.246.141
                                        3NWyBfF98R.exeGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        22OR3ghklx.exeGet hashmaliciousBrowse
                                        • 194.5.98.68
                                        2iVTzj8Bbe.exeGet hashmaliciousBrowse
                                        • 5.135.233.28

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        LEASEWEB-USA-NYC-11UStn9jVPvlMSqAUX5.exeGet hashmaliciousBrowse
                                        • 23.105.131.229
                                        HLiw2LPA8i.rtfGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        TDToxqrclL.exeGet hashmaliciousBrowse
                                        • 23.105.131.177
                                        Ziiq5tI3CT.exeGet hashmaliciousBrowse
                                        • 23.105.131.239
                                        f3wo2FuLN6.exeGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        ORDER INQUIRY.pdf.exeGet hashmaliciousBrowse
                                        • 23.105.131.177
                                        Purchase Order 4500033557.pdf.exeGet hashmaliciousBrowse
                                        • 23.105.131.177
                                        SecuriteInfo.com.Trojan.DownLoader35.34609.25775.exeGet hashmaliciousBrowse
                                        • 192.253.246.138
                                        Proof_of_payment.xlsmGet hashmaliciousBrowse
                                        • 23.105.131.217
                                        invoice tax.xlsmGet hashmaliciousBrowse
                                        • 23.105.131.217
                                        SHIPPING DOCUMENTS.pdf.exeGet hashmaliciousBrowse
                                        • 23.105.131.177
                                        Payment_Order_20201111.xlsxGet hashmaliciousBrowse
                                        • 192.253.246.138
                                        TLpMnhJmg7.exeGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        HDyADDoI3I.exeGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        11.exeGet hashmaliciousBrowse
                                        • 173.234.155.145
                                        53C29QAJnd.exeGet hashmaliciousBrowse
                                        • 173.234.155.145
                                        OMQZvmAmCj.exeGet hashmaliciousBrowse
                                        • 173.234.155.145
                                        gH4o5FCHAE.exeGet hashmaliciousBrowse
                                        • 173.234.155.145
                                        SHIPPING INVOICE.pdf.exeGet hashmaliciousBrowse
                                        • 23.105.131.177
                                        DOCUMENTO WAYBILL.exeGet hashmaliciousBrowse
                                        • 23.105.131.133

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeHLiw2LPA8i.rtfGet hashmaliciousBrowse
                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeHLiw2LPA8i.rtfGet hashmaliciousBrowse

                                            Created / dropped Files

                                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Process:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):798720
                                            Entropy (8bit):7.062174295870852
                                            Encrypted:false
                                            SSDEEP:24576:Jsa5TcLNpo2AbAtY7/6RQeWXKaRXKzklCbX:baha2EAt46wXKaRDCb
                                            MD5:678DAC5FC4C6A55F032BA40698895E6A
                                            SHA1:8EA9541292F8E5D68948031EBCEDAFE04DDA4A36
                                            SHA-256:78491E950A624399F497CEDD25CAE2231223B1BCD2F93379480B3C9EDB4C6A92
                                            SHA-512:3183B4FF5E16E81BD6E0509FA473F42AE8DB8D9C9B41405E8A723BA4647DDBD58356A324B3C6FBC9AC390BC592086C07424D65ECF34EA79BD6862D7FD80C58C6
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Virustotal, Detection: 26%, Browse
                                            • Antivirus: ReversingLabs, Detection: 23%
                                            Joe Sandbox View:
                                            • Filename: HLiw2LPA8i.rtf, Detection: malicious, Browse
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.....................z......v.... ........@.. ....................................@.................................,...J........v...................`....................................................... ............... ..H............text...|.... ...................... ..`.rsrc....v.......x..................@..@.reloc.......`......................@..B................\.......H............F..............\...........................................N+.+.*(....+.(....+.6.(.....(x...*..>+.+.*.+.(....+..0..I........-.+',.+&{....,.+ {....+..,..,.+.+..,.&&.-.*.+..+..+.o....+..+..+.(....+......(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(.
                                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview: [ZoneTransfer]....ZoneId=0
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2AyWKsCvVF.exe.log
                                            Process:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):1119
                                            Entropy (8bit):5.356708753875314
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                            MD5:3197B1D4714B56F2A6AC9E83761739AE
                                            SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                            SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                            SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                            Malicious:true
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1119
                                            Entropy (8bit):5.356708753875314
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                            MD5:3197B1D4714B56F2A6AC9E83761739AE
                                            SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                            SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                            SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                            Malicious:false
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log
                                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1119
                                            Entropy (8bit):5.356708753875314
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                            MD5:3197B1D4714B56F2A6AC9E83761739AE
                                            SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                            SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                            SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                            Malicious:false
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                            C:\Users\user\AppData\Local\Temp\tmp7D39.tmp
                                            Process:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1304
                                            Entropy (8bit):5.1124711257645075
                                            Encrypted:false
                                            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Jxtn:cbk4oL600QydbQxIYODOLedq3Oj
                                            MD5:9999914B14FFDFDDA9685849889917DE
                                            SHA1:67C27D3B5295EA8F29E5BA4CB10D4A6155976967
                                            SHA-256:56CA0B8BC6EC1B4452ABB85E020266B489D1BBB6443FA6EDEA01E335A63398E6
                                            SHA-512:45F3D0DB65D89F26275B1664BA00BE0406F5183C3B557EB4E533D94055D194AEC1691998E63E8F51F49E44FC97359FF214FD9D4853A505EA8DB19D248A06C051
                                            Malicious:true
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                            C:\Users\user\AppData\Local\Temp\tmp8057.tmp
                                            Process:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):1310
                                            Entropy (8bit):5.109425792877704
                                            Encrypted:false
                                            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                            MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                            SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                            SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                            SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                            Malicious:false
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                            Process:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8
                                            Entropy (8bit):3.0
                                            Encrypted:false
                                            SSDEEP:3:lan:Un
                                            MD5:AC85C44515BB2C0D226060A0D1496650
                                            SHA1:E3730269DA672F64F46FA96F84CEDBA350523688
                                            SHA-256:1D6702B959BA0461DAABD1D3F87FA0F54B50F863456ECFBDB711B72C6A2CF646
                                            SHA-512:95D43C22198DC84EC66945636D2A39D386D69DB4CF112004688F925F4C9C1FE10AC5B779DB140C5CCCC73C3B40A4CA3DF9AF3E3C8E6AD085EF0BD4B44B258680
                                            Malicious:true
                                            Preview: .Lp....H
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                            Process:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):41
                                            Entropy (8bit):4.352203688791898
                                            Encrypted:false
                                            SSDEEP:3:oN0naRRXV06jL4A:oNcSRl024A
                                            MD5:95361324BE4FA332D8223A825C139D50
                                            SHA1:72D22B0B1779C9C26ACA149661D421C3B3604657
                                            SHA-256:8514212D281B67AE2477555835D83674411129248B8F45FA9BD871B9B72C6A54
                                            SHA-512:AD6AE5DC2AC2CD53D5F797EECAFA5AF7D10F8844022700C3E60943A65BA823D013CCF4DA3CC830C374A75C708D89AEB14E9A50ED83BE53C318A6A0D00EE460E3
                                            Malicious:false
                                            Preview: C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Process:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):798720
                                            Entropy (8bit):7.062174295870852
                                            Encrypted:false
                                            SSDEEP:24576:Jsa5TcLNpo2AbAtY7/6RQeWXKaRXKzklCbX:baha2EAt46wXKaRDCb
                                            MD5:678DAC5FC4C6A55F032BA40698895E6A
                                            SHA1:8EA9541292F8E5D68948031EBCEDAFE04DDA4A36
                                            SHA-256:78491E950A624399F497CEDD25CAE2231223B1BCD2F93379480B3C9EDB4C6A92
                                            SHA-512:3183B4FF5E16E81BD6E0509FA473F42AE8DB8D9C9B41405E8A723BA4647DDBD58356A324B3C6FBC9AC390BC592086C07424D65ECF34EA79BD6862D7FD80C58C6
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 23%
                                            Joe Sandbox View:
                                            • Filename: HLiw2LPA8i.rtf, Detection: malicious, Browse
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.....................z......v.... ........@.. ....................................@.................................,...J........v...................`....................................................... ............... ..H............text...|.... ...................... ..`.rsrc....v.......x..................@..@.reloc.......`......................@..B................\.......H............F..............\...........................................N+.+.*(....+.(....+.6.(.....(x...*..>+.+.*.+.(....+..0..I........-.+',.+&{....,.+ {....+..,..,.+.+..,.&&.-.*.+..+..+.o....+..+..+.(....+......(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(.
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview: [ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.062174295870852
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:2AyWKsCvVF.exe
                                            File size:798720
                                            MD5:678dac5fc4c6a55f032ba40698895e6a
                                            SHA1:8ea9541292f8e5d68948031ebcedafe04dda4a36
                                            SHA256:78491e950a624399f497cedd25cae2231223b1bcd2f93379480b3c9edb4c6a92
                                            SHA512:3183b4ff5e16e81bd6e0509fa473f42ae8db8d9c9b41405e8a723ba4647ddbd58356a324b3c6fbc9ac390bc592086c07424d65ecf34ea79bd6862d7fd80c58c6
                                            SSDEEP:24576:Jsa5TcLNpo2AbAtY7/6RQeWXKaRXKzklCbX:baha2EAt46wXKaRDCb
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.....................z......v.... ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:74f2dbb284c2e2ee

                                            Static PE Info

                                            General

                                            Entrypoint:0x47d376
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x5FB48592 [Wed Nov 18 02:23:14 2020 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7d32c0x4a.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x47615.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x7b37c0x7b400False0.946120689655data7.93617451115IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x7e0000x476150x47800False0.200171410621data4.66082809621IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xc60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0x7e08c0x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0xc00d80x25a8data
                                            RT_ICON0xc26a40x10a8data
                                            RT_ICON0xc37700x988data
                                            RT_ICON0xc411c0x468GLS_BINARY_LSB_FIRST
                                            RT_GROUP_ICON0xc45c00x4cdata
                                            RT_VERSION0xc46480x33cdata
                                            RT_MANIFEST0xc49c00xc55XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyright(c) 2020 Skype and/or Microsoft
                                            Assembly Version8.61.0.87
                                            InternalNameABW.exe
                                            FileVersion8.61.0.87
                                            CompanyNameSkype Technologies S.A.
                                            CommentsSkype Setup
                                            ProductNameSkype
                                            ProductVersion8.61.0.87
                                            FileDescriptionSkype Setup
                                            OriginalFilenameABW.exe

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 18, 2020 13:15:04.257178068 CET497282017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:04.567527056 CET201749728192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:05.163006067 CET497282017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:05.473237038 CET201749728192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:05.980878115 CET497282017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:06.291510105 CET201749728192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:10.527563095 CET497352017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:10.866230011 CET201749735192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:11.418787003 CET497352017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:11.838531971 CET201749735192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:12.418890953 CET497352017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:12.750057936 CET201749735192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:16.804665089 CET497462017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:17.159245014 CET201749746192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:17.719794989 CET497462017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:18.078959942 CET201749746192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:18.591330051 CET497462017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:18.999630928 CET201749746192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:23.247824907 CET497472017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:23.603555918 CET201749747192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:24.107378960 CET497472017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:24.423556089 CET201749747192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:25.107481956 CET497472017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:25.447871923 CET201749747192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:29.492758036 CET497482017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:29.854454041 CET201749748192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:30.467434883 CET497482017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:36.467822075 CET497482017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:36.779057026 CET201749748192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:41.064198017 CET497492017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:41.429009914 CET201749749192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:41.937490940 CET497492017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:42.348604918 CET201749749192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:42.858931065 CET497492017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:43.269334078 CET201749749192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:47.367022991 CET497502017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:47.674303055 CET201749750192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:48.187544107 CET497502017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:48.593672037 CET201749750192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:49.094141006 CET497502017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:49.409420967 CET201749750192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:53.465146065 CET497532017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:53.816565037 CET201749753192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:54.328711033 CET497532017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:54.742865086 CET201749753192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:15:55.250633001 CET497532017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:15:55.561321020 CET201749753192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:00.023139000 CET497542017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:00.333301067 CET201749754192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:00.845179081 CET497542017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:01.188616037 CET201749754192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:01.704370022 CET497542017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:02.110388994 CET201749754192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:06.181993008 CET497552017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:06.489480019 CET201749755192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:07.001641989 CET497552017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:07.330274105 CET201749755192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:07.845446110 CET497552017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:08.251686096 CET201749755192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:12.310183048 CET497562017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:12.659724951 CET201749756192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:13.174256086 CET497562017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:13.485918045 CET201749756192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:13.986845016 CET497562017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:14.344104052 CET201749756192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:18.510282993 CET497572017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:18.820801973 CET201749757192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:19.330920935 CET497572017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:19.722898006 CET201749757192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:20.238782883 CET497572017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:20.644606113 CET201749757192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:24.696957111 CET497582017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:25.049243927 CET201749758192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:25.565699100 CET497582017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:25.877461910 CET201749758192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:26.379347086 CET497582017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:26.691189051 CET201749758192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:30.743957043 CET497592017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:31.091018915 CET201749759192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:31.597387075 CET497592017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:31.936604977 CET201749759192.253.246.143192.168.2.7
                                            Nov 18, 2020 13:16:32.441303968 CET497592017192.168.2.7192.253.246.143
                                            Nov 18, 2020 13:16:32.752310038 CET201749759192.253.246.143192.168.2.7

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 18, 2020 13:14:16.334083080 CET6033853192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:16.361186028 CET53603388.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:17.258542061 CET5871753192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:17.294179916 CET53587178.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:18.220112085 CET5976253192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:18.247369051 CET53597628.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:19.088411093 CET5432953192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:19.115885019 CET53543298.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:20.013658047 CET5805253192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:20.040905952 CET53580528.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:20.973460913 CET5400853192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:21.000807047 CET53540088.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:21.994016886 CET5945153192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:22.030141115 CET53594518.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:22.903172970 CET5291453192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:22.940905094 CET53529148.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:23.796224117 CET6456953192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:23.823364973 CET53645698.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:24.710278034 CET5281653192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:24.737350941 CET53528168.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:25.549248934 CET5078153192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:25.576479912 CET53507818.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:26.507963896 CET5423053192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:26.535109997 CET53542308.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:27.400171041 CET5491153192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:27.427227974 CET53549118.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:28.241380930 CET4995853192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:28.268456936 CET53499588.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:29.083427906 CET5086053192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:29.110635996 CET53508608.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:30.338119984 CET5045253192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:30.368040085 CET53504528.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:31.185043097 CET5973053192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:31.212316036 CET53597308.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:32.050189018 CET5931053192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:32.085835934 CET53593108.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:32.627278090 CET5191953192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:32.664104939 CET53519198.8.8.8192.168.2.7
                                            Nov 18, 2020 13:14:42.595653057 CET6429653192.168.2.78.8.8.8
                                            Nov 18, 2020 13:14:42.622812986 CET53642968.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:02.741520882 CET5668053192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:02.768811941 CET53566808.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:04.144943953 CET5882053192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:04.172987938 CET6098353192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:04.203042030 CET53588208.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:04.208764076 CET53609838.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:04.411902905 CET4924753192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:04.462351084 CET53492478.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:05.393771887 CET5228653192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:05.429589033 CET53522868.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:05.994560957 CET5606453192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:06.030332088 CET53560648.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:07.482305050 CET6374453192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:07.517927885 CET53637448.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:09.852799892 CET6145753192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:09.888607979 CET53614578.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:10.418124914 CET5836753192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:10.454072952 CET53583678.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:10.487066984 CET6059953192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:10.522847891 CET53605998.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:10.974488974 CET5957153192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:11.001782894 CET53595718.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:11.025796890 CET5268953192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:11.052932978 CET53526898.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:12.653100967 CET5029053192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:12.688760042 CET53502908.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:14.375849009 CET6042753192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:14.411693096 CET53604278.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:15.742705107 CET5620953192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:15.780607939 CET53562098.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:16.661848068 CET5958253192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:16.698621035 CET53595828.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:16.767863035 CET6094953192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:16.803494930 CET53609498.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:23.192267895 CET5854253192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:23.243531942 CET53585428.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:29.455739975 CET5917953192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:29.491556883 CET53591798.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:40.852751017 CET6092753192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:40.888389111 CET53609278.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:47.328639984 CET5785453192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:47.364285946 CET53578548.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:48.831229925 CET6202653192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:48.858542919 CET53620268.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:52.543030024 CET5945353192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:52.570125103 CET53594538.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:53.427609921 CET6246853192.168.2.78.8.8.8
                                            Nov 18, 2020 13:15:53.463145018 CET53624688.8.8.8192.168.2.7
                                            Nov 18, 2020 13:15:59.986233950 CET5256353192.168.2.78.8.8.8
                                            Nov 18, 2020 13:16:00.021874905 CET53525638.8.8.8192.168.2.7
                                            Nov 18, 2020 13:16:06.144609928 CET5472153192.168.2.78.8.8.8
                                            Nov 18, 2020 13:16:06.180191040 CET53547218.8.8.8192.168.2.7
                                            Nov 18, 2020 13:16:12.271882057 CET6282653192.168.2.78.8.8.8
                                            Nov 18, 2020 13:16:12.307739019 CET53628268.8.8.8192.168.2.7
                                            Nov 18, 2020 13:16:18.472783089 CET6204653192.168.2.78.8.8.8
                                            Nov 18, 2020 13:16:18.508119106 CET53620468.8.8.8192.168.2.7
                                            Nov 18, 2020 13:16:24.660619974 CET5122353192.168.2.78.8.8.8
                                            Nov 18, 2020 13:16:24.696073055 CET53512238.8.8.8192.168.2.7
                                            Nov 18, 2020 13:16:30.707820892 CET6390853192.168.2.78.8.8.8
                                            Nov 18, 2020 13:16:30.743345022 CET53639088.8.8.8192.168.2.7

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Nov 18, 2020 13:15:04.144943953 CET192.168.2.78.8.8.80xd869Standard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:10.487066984 CET192.168.2.78.8.8.80xa36cStandard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:16.767863035 CET192.168.2.78.8.8.80xe976Standard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:23.192267895 CET192.168.2.78.8.8.80x138Standard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:29.455739975 CET192.168.2.78.8.8.80x29e3Standard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:40.852751017 CET192.168.2.78.8.8.80x5b7dStandard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:47.328639984 CET192.168.2.78.8.8.80xd630Standard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:53.427609921 CET192.168.2.78.8.8.80xaa4cStandard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:59.986233950 CET192.168.2.78.8.8.80x76beStandard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:16:06.144609928 CET192.168.2.78.8.8.80x6be6Standard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:16:12.271882057 CET192.168.2.78.8.8.80x6a7aStandard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:16:18.472783089 CET192.168.2.78.8.8.80xfb93Standard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:16:24.660619974 CET192.168.2.78.8.8.80x6c99Standard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)
                                            Nov 18, 2020 13:16:30.707820892 CET192.168.2.78.8.8.80x98a6Standard query (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.euA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Nov 18, 2020 13:15:04.203042030 CET8.8.8.8192.168.2.70xd869No error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:10.522847891 CET8.8.8.8192.168.2.70xa36cNo error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:16.803494930 CET8.8.8.8192.168.2.70xe976No error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:23.243531942 CET8.8.8.8192.168.2.70x138No error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:29.491556883 CET8.8.8.8192.168.2.70x29e3No error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:40.888389111 CET8.8.8.8192.168.2.70x5b7dNo error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:47.364285946 CET8.8.8.8192.168.2.70xd630No error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:15:53.463145018 CET8.8.8.8192.168.2.70xaa4cNo error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:16:00.021874905 CET8.8.8.8192.168.2.70x76beNo error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:16:06.180191040 CET8.8.8.8192.168.2.70x6be6No error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:16:12.307739019 CET8.8.8.8192.168.2.70x6a7aNo error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:16:18.508119106 CET8.8.8.8192.168.2.70xfb93No error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:16:24.696073055 CET8.8.8.8192.168.2.70x6c99No error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)
                                            Nov 18, 2020 13:16:30.743345022 CET8.8.8.8192.168.2.70x98a6No error (0)swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu192.253.246.143A (IP address)IN (0x0001)

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Start time:13:14:19
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\2AyWKsCvVF.exe'
                                            Imagebase:0x4b0000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.324205018.00000000037D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            General

                                            Start time:13:14:57
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            Imagebase:0x690000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.503442385.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.508585583.0000000002A81000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.512799429.0000000003A89000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.515934182.0000000006070000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.515202171.0000000005280000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.515202171.0000000005280000.00000004.00000001.sdmp, Author: Florian Roth
                                            Reputation:low

                                            General

                                            Start time:13:15:00
                                            Start date:18/11/2020
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D39.tmp'
                                            Imagebase:0x13b0000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:13:15:01
                                            Start date:18/11/2020
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff774ee0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:13:15:01
                                            Start date:18/11/2020
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8057.tmp'
                                            Imagebase:0x13b0000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:13:15:02
                                            Start date:18/11/2020
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff774ee0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:13:15:02
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\2AyWKsCvVF.exe 0
                                            Imagebase:0xcd0000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.413173829.00000000040F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            General

                                            Start time:13:15:05
                                            Start date:18/11/2020
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                            Imagebase:0x1c0000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.428448474.0000000003569000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 26%, Virustotal, Browse
                                            • Detection: 23%, ReversingLabs
                                            Reputation:low

                                            General

                                            Start time:13:15:08
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                            Imagebase:0x80000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.433776736.0000000003479000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 23%, ReversingLabs
                                            Reputation:low

                                            General

                                            Start time:13:15:18
                                            Start date:18/11/2020
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                            Imagebase:0x600000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.462834222.0000000003C59000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            General

                                            Start time:13:15:26
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                            Imagebase:0x230000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.473151225.00000000035A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            General

                                            Start time:13:15:36
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            Imagebase:0x10000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low

                                            General

                                            Start time:13:15:37
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            Imagebase:0x310000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low

                                            General

                                            Start time:13:15:37
                                            Start date:18/11/2020
                                            Path:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\2AyWKsCvVF.exe
                                            Imagebase:0xfc0000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.428411812.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.433424124.0000000004439000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.433041265.0000000003431000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.433041265.0000000003431000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            General

                                            Start time:13:15:43
                                            Start date:18/11/2020
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Imagebase:0xb30000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.443489424.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.453662342.00000000040F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.452648139.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.452648139.00000000030F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                            General

                                            Start time:13:15:43
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Imagebase:0xea0000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000021.00000002.454007253.0000000004299000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000021.00000002.444761456.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.453327422.0000000003291000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000021.00000002.453327422.0000000003291000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                            General

                                            Start time:13:15:55
                                            Start date:18/11/2020
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Imagebase:0xa60000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000023.00000002.475445043.0000000002F11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000023.00000002.471978530.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000002.475606166.0000000003F19000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000023.00000002.475606166.0000000003F19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                            General

                                            Start time:13:16:04
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Imagebase:0x240000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            General

                                            Start time:13:16:05
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Imagebase:0x2b0000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            General

                                            Start time:13:16:06
                                            Start date:18/11/2020
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                            Imagebase:0x890000
                                            File size:798720 bytes
                                            MD5 hash:678DAC5FC4C6A55F032BA40698895E6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000027.00000002.487906789.0000000002D01000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000027.00000002.486406392.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000027.00000002.488034927.0000000003D09000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000027.00000002.488034927.0000000003D09000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                            Disassembly

                                            Code Analysis

                                            Reset < >